Asymmetrically encrypted passwords with Java KeyStore (via script)
Instead of holding all decryption information in the password text itself (see obfuscation and PBE encryption), this method uses a key from an external Java KeyStore. The encryption method is asymmetric, e.g. RSA.
The security of asymmetrically encrypted passwords is high.
Setting up the Java KeyStore
If no Java KeyStore is available, it can be created with the following command. The location of the generated Java KeyStore should be in a directory accessible only to the user running the Lobster Integration process.
Note: Here, the directory "etc\admin" (./etc/admin) was used, which is the default directory for configuration files in the following steps. However, any other directory suitable for the purpose may be used.
Note: For the example, use the keystore password "my keystore password" (of course you can choose any password later).
Note: If you see an empty input field in the example, you can also leave it empty (press return).
Note: You can ignore the warning.
D:\IS>keytool -genkey -alias lobster -keyalg RSA -keysize 2048 -keystore etc\admin\pwd_ks.keystoreEnter keystore password:Re-enter new password:What is your first and last name? [Unknown]: Test Keystore for Config Password EncryptionWhat is the name of your organizational unit? [Unknown]: ITWhat is the name of your orginization? [Unknown]: Lobster GmbHWhat is the name of your City or Locality? [Unknown]:What is the name of your State or Province? [Unknown]:What is the two-letter country code for this unit? [Unknown]: DEIs CN=Test Keystore for Config Password Encryption, OU=IT, O=Lobster GmbH, L=Unknown, ST=Unknown, C=DE correct? [no]: yesEnter key password for <lobster> (RETURN if same as keystore password):Warning:The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore etc\admin\pwd_ks.keystore -destkeystore etc\admin\pwd_ks.keystore -deststoretype pkcs12".As result you get the keystore file ./etc/admin/pwd_ks.keystore.
Configuration file for password encryption with Java KeyStore
When creating the Java KeyStore, the password my keystore password was used, which secures the private key of the Java KeyStore. This password must be stored in the following configuration file ./etc/admin/ks.properties.
keystore_lobsterkeystore_lobster.filename=./etc/admin/pwd_ks.keystorekeystore_lobster.password=my keystore password#keystore_lobster.type=JCEKS#keystore_lobster.provider=BCPassword encryption with the Java KeyStore
Once the preparations are done, you can now create an asymmetrically encrypted password.
D:\IS> bin\password.bat -k lobster "some password"$KS$lobster$QUgjl4kFMzU9Zm0+4QXd5reP+GyHWpqION3vd4ZXBH6F90YWmZErS/V5ernNBBnHZCLzci+bbe3rVbIkCjTf1tI9Zmsv03DDb4JTjUbJ8G4l4hhhlpOUM+2/b+VvS2Nhb9vRJ29z7j2K+cBbzVQ7wEYOGIPi2Atv9Vpv1+zN2PheZZs9rqNEU3LgAMV9fsUOTkQUvyo23fhVxHXNJFxMubs369dU8+5yEX0U6wRPMeHIKS+OoEvt3APaXitZ+8NwYxmvdgukUdBs9AYKMQBN6YKEkGpKFojIboTWzFdBUpz5rUWWj+pQbPrxoJ33YlttjAxXwKbyeyEGw4CUV76asw==$2VXmZat8L5psiwlhX1AREw==→ The displayed $KS$ value can be copied directly from the console and inserted into the desired configuration file as a password.
Preliminary summary:
Create the Java KeyStore (with keystore password).
Create the configuration file for the Java KeyStore (with the keystore password in plain text).
Asymmetrically encrypt the password for your configuration file using the script (which uses the Java KeyStore and its configuration file).
Important note: Since it is obviously unsafe to specify the password in plaintext, obfuscation or PBE encryption (with specification of the PBE password!) can be used. As we have already seen, however, these two methods are not very secure either. Therefore, we recommend using a master password instead.