Encrypting sensitive configurations
Optional. For extra security you can encrypt the values of certain configuration parameters that contain sensitive information. Usually the encryption is not needed because your Voice Browser service host is isolated and secure. One reason to encrypt is to protect backup copies of property files that contain sensitive values.
Affected parameters
Setting browser.security.ssl.encryptedParameters requires encryption of these parameters:
browser.security.ssl.keyStoreURL
browser.security.ssl.keyStorePassword
Instructions
Objectives:
- Use Management Station or properties files to provide encrypted values for the affected parameters.
- Store the encryption key in browser.security.encryptionKeyPath
- Enable encryption with browser.security.ssl.encryptedParameters.
Note: This feature requires running OpenSSL 1.1.1 or newer.
Procedure:
- Create the encryption key. In a command window on the Voice Browser service host, generate a password key file (base64 encoding):
openssl rand -base64 32 > vbs.key
(Create the key file on any host. Store the file on the Voice Browser service host.)
- Configure the location of the key file in browser.security.encryptionKeyPath. You can configure in Management Station (in Advanced Properties), or as a command line argument in a role file.
- Configure each of the affected parameters. Repeat these steps for each parameter:
- Encrypt a value and copy the output. This example pipes a value to openssl, specifies the encryption mechanism, and passes the newly created encryption key:
echo -n this is my param value | openssl enc -aes-256-cbc -pbkdf2 -base64 -pass file:vbs.key
U2FsdGVkX18Al/GUPw6eVhW1o/a5L7OpcyP0PlD+MEOVD1HyARcI4DT4itGmaHO0
- Optional. Test the encrypted value. This example sends the encrypted value to openssl and passes the same key for decryption:
echo U2FsdGVkX18Al/GUPw6eVhW1o/a5L7OpcyP0PlD+MEOVD1HyARcI4DT4itGmaHO0 | openssl enc -d -aes-256-cbc -pbkdf2 -base64 -pass file:vbs.key
this is my param value
- Paste the encrypted value into the parameter configuration. You can configure in Management Station (in Advanced Properties), or as a command line argument in a role file.
- Encrypt a value and copy the output. This example pipes a value to openssl, specifies the encryption mechanism, and passes the newly created encryption key:
Note: When you paste base64 encrypted values into Management Station, any plus symbols (+) display as spaces. This is expected.
Risks
Anyone with access to the password key file can decrypt the encrypted parameters. The risk depends on how you set browser.security.encryptionKeyPath
-
When set via the command line argument in the role file, the password key file location is stored in plain text in the role file. Anyone with access to the role file can know the location of the key file.
-
When set via Management Station, admin users can see the password key file location in plain text. Also, the location is stored in plain text in backups of the Voice Browser service configuration. Anyone with access to the backups can know the location of the key file.
