Syncplicity Support

Search our knowledgebase to get the help you need, today

Follow

Securing sensitive configuration data

Overview

The configuration of a Syncplicity Storage Connector is done in the configuration file syncp-storage.yml. This configuration file contains settings like the path to the backend storage, but also contains more sensitive information like the AccessKey and maybe other connection details like the S3 connection details, S3 key and S3 secret. Since version 3.3 of the Storage Connector, admins can decide to have this information encrypted, so it no longer is stored in plain-text but in an encrypted Keystore-file. This prevents outside parties from accessing data stored in Syncplicity - for example contractor administrators who are managing your infrastructure.

This feature is available for On-Premise Storage Connectors version 3.3 and newer. When upgrading from an older version of the Storage Connector, e.g. 2.x, this is a good article to read to move sensitive information into a secured location in order to meet increased corporate compliance.

To watch a video on this process, click the image below.

 

 

Why would you need a keystore

In general, the StorageVault security level is sufficient when Storage Connector is configured according to deployment and upgrade guides: Storage Connectors are hosted on company premises and company security policies are in place with standard corporate protection guidelines. Previous versions of the Syncplicity Storage Connectors stored all information in the configuration file. There are a few cases though when sensitive configuration data such as passwords and access keys need to be stored in a secure way:

  • To protect the data, e.g. when StorageVaults are hosted in an external datacenter like your ISP or systems integrator.
  • When security compliance or compliance requirements have to be established, e.g. when no passwords should exist in configuration files.
  • When enabling certain features like Syncplicity Rights Management or running the Storage Connector in HTTPS mode.

In such cases it is possible with the current versions of the Storage Connectors to store sensitive configuration data in a keystore file. A keystore file is a cryptographic archive file that could contain public and private keys, certificates and passwords. Supported keystore file types in Storage Connector are of the type: JCEKS, JKS, DKS, PKCS11 and PKCS12. The current guide describes how to configure Storage Connector using PKCS12 (.p12) file format. Working with PKSC12 files is described in Working with keystores.

The Keystore file is protected by a password that must be supplied by a password provider. This guide provides a solution for Storage Connectors hosted in AWS. For Storage Connectors hosted in ESXi or similar hypervisors, customer administrators have to provide or implement such a solution.

What attributes from the configuration file can be secured

When for security reasons, it is required to move sensitive information from the configuration file, the following configuration data can be stored in this Keystore:

  • Access key (syncplicity.ws.accesskey
  • Storage credentials for data, image, IRM and zip archive locations.
    • Atmos secret key (syncplicity.storage.atmos.secret)
    • Azure account key (syncplicity.storage.azure.accountKey)
    • Google auth JSON (syncplicity.storage.google.authJson)
    • S3 Access key and secret (syncplicity.storage.s3.access, syncplicity.storage.s3.secret)
  • StorageVault with Authentication (SVA)
    • Secret Key (syncplicity.storageVaultAuthentication.key)
    • IdP Certificate (syncplicity.storageVaultAuthentication.saml.idpCertificate)
    • Password for the SMTP server (syncplicity.mail.password)
  • Syncplicity Rights Management
    • Private Key (syncplicity.storage.plugins.irm.syncrm.advancedSecurity.privateKey)
    • Pass phrase (syncplicity.storage.plugins.irm.syncrm.passPhrase)
    • Password for the HTTP proxy (syncplicity.storage.plugins.irm.syncrm.proxy.password)
  • For connectors running in HTTPS mode
    • The server certificate.

See Storage Connector configuration parameters for detailed information.

Securing the configuration data

Before moving to this step, it is recommended that you already have a configured On-Premise Storage Connector that is validated to be working properly. That would help resolve the issues faster, In case something goes wrong during the configuration.

The steps you need to follow to secure your sensitive configuration data are:

  1. Determine what needs to be secured.
  2. Add the configuration in the Keystore.
  3. Setup a password provider.
  4. Enforce the secure configuration.
  5. Remove the sensitive data from the config file or the file system.
  6. Restart the Storage Connector and validate it is up and running.

Determine what needs to be secured

Determine which configuration data needs to be stored in the keystore based on the storage type and the feature that needs to be configured.

The following features require keystore usage:

Create the keystore

Take a look at the below example to learn how to set up an empty keystore.

 

Add the configuration in the keystore

Once the empty keystore is created, add each of the configuration properties to the keystore. See Working with keystores for more details.

Once created, the keystore should have proper access rights and an owner. See the below example on how to fix this for a keystore in location /etc/syncp-storage/keystore.p12

  1. sudo chown syncp-storage:syncp-storage /etc/syncp-storage/keystore.p12
  2. sudo chmod 600 /etc/syncp-storage/keystore.p12

If the service cannot access the keystore, it will fail to start with an error message in the log file.

Here is an example to start and get you going, showing how you can move the AccessKey. If you want other items to be moved to the keystore as well, you can add them in the same way.

Setup a password provider

A password provider is a file that provides a securely stores password when the Storage Connector is started. See Password provider setup for detailed information on how to configure a password provider

Enforce the secure configuration

When you decide to move sensitive information to the keystore file, you need to enforce the secure configuration. Modify the Storage Connector configuration file syncp-storage.yml by enforcing the keystore file in the crypto section. Change the enforced attribute to true and specify the location of the keystore file and its type.

syncplicity:
  crypto:
    keyStore:
      enforced: true
      file: /etc/syncp-storage/keyStore.p12
      type: PKCS12

Here's an example on how to do this.

Remove the sensitive data from the config file or the file system

Once added to the keystore, all the plain text configuration data can be removed from the configuration file or the file system. Be sure to keep a secure backup for it in case you need it for a reference in the future.

Restart the Storage Connector and validate it is up and running

  1. Restart the connector: sudo service syncp-storage restart.
  2. Validate the startup by inspecting the logfile in /var/log/syncp-storage.
  3. Validate that the service status is Active (running): sudo service syncp-storage status.
  4. Validate that the Storage Connector is responding with pong when loading https://<storage_connector_host>/ping via curl or a browser.
  5. Validate that you're able to upload and download files.
  6. In case the keystore is being used to enable a certain feature  follow the configuration guide for that feature and perform the validations specified there.


Keystore usage when secure configuration is not enforced

Some features require a keystore usage, but don't require enforcing the secure configuration. In such cases, instead of configuring a password provider, the password can be specified in the syncplicity.crypto.keyStore.password setting.  Your configuration should look like this:

syncplicity:
  crypto:
    keyStore:
      enforced: true
      file: /etc/syncp-storage/keyStore.p12
      password: <password_in_full_text>
      type: PKCS12

 

It is also important to note how the configuration values are being determined. In case secure configuration is not enforced the config value is determined in the following order:

  1. The value in the config file is used, if configured there
  2. The default value is used
  3. When not specified, but mandatory, the Storage Connector will fail to start and report the missing information in the log file.

In case secure configuration is enforced

  1. Values are loaded from the keystore
  2. The default value is used
  3. If present in the config file, a warning will appear in SC log as a reminder to remove the sensitive data from the config file
The rules above apply only for the sensitive config properties. The non-sensitive ones are configured only in the syncp-storage.yml file and are not loaded from the keystore.

Updating configuration in existing keystore

See Working with keystores for more details.

Upgrading from an older version of a Storage Connector

When upgrading from an older version of a Storage Connector by using syncp-storage-migrate-config:

  • If upgrading from version 2.x that was configured to run in HTTPS mode, the keystore is automatically created and the configuration is adjusted.
  • If upgrading from version 3.2 or newer that was configured to use a keystore - configuration is retained as is and is reused.

 

Powered by Zendesk