Is there possibility of storing encrypted keys or not to use oxalis.conf at all?

[saneokv]

Hi @difi. I tried to use oxalis and oxalis-as4 for sending some documents to peppol and it works in the way you specified in the documentation. Actually my problem is I don't want to store keystore password and alias password in oxalis.conf as it is specified, as I have it encrypted in other properties file and would like just to send it to oxalis. Is there any possibility of not using oxalis.conf at all and to send as some properties maybe when creating OxalisOutboundComponent? If not, will be this functionality in future?

[darklajid]

With the recent merge of the configuration change, you can pass in environment variables. Would that work for your case?

My config file contains

oxalis.keystore {
    path = keystore.p12
    password = ${CERT_PASS}
    key.alias = ${CERT_ALIAS}
    key.password = ${CERT_PASS}
}

and that information is passed to the (for me: Docker) environment instead, so it doesn't reside in the configuration files. Would that help or is that not enough?

[saneokv]

Thanks for your response @darklajid. Actually it doesn't solve my problem. The keystore and alias password I have encrypted in some properties file. I use some algorithm to decrypt it when I need it. In the case you provided me, I have to put it decrypted in env variables that makes a security issue as well. CERT_ALIAS for example is coming as a component part from some web, and that's why I have to create oxalis.conf on the fly and then to remove it as depends on situation some values from there could be different, that is not a good practice at all. The best way for me would be if I could for example to pass these values to constructor of OxalisOutboundComponent and if they are set in constructor it will take them from constructor, if not, then from oxalis.conf.

[asger-weirsoee]

Isn't the solution for this just setting correct reading permissions for the env file @saneokv?

Your server should never be so insecure that people might be able to read files with the permission 700, with the user hosting Oxalis being the owner of the file. But if that is the case, then they'd also have access to your codebase and memory, and could just wait for your decryption algorithm to happen, and search memory for your secrets?

In the scenario that you are hosting this on an Linux server, with multiple users having access, then you should ONLY have trusted users in the sudoers file.

And in the case where you are using docker to host the oxalis server, then docker natively supports secrets

Idk much about Windows Servers, but I assume that many of the same principles applies there as well

[aaron-kumar]

@saneokv : Oxalis is based on community support. Feel free to contribute if you want to change/enhance something. Since it is Not directly linked with Core/Compliance issue so it may Not get priority in Oxalis roadmap. So expecting contribution from your side if you really want to add this feature.

Note: This issue will automatically moved to discussion if No response received in 1 week time.