Encrypt Sensitive Information in Experience Service Configuration
The following configuration parameters store sensitive information:
• db.connectionString
• authentication.authorization.appKey
• proxies.0.appKey
• thingworxMetrics.appkey
• vdp.username
• vdp.password
• httpsCertPassphrase
• authentication.openid.clientSecret
• authentication.openid.session.secret
Parameter values can be encrypted to decrease the chances of unauthorized users gaining access to this sensitive information. Pass the --encryptConfiguration option on the command line when starting the Experience Service to encrypt sensitive values. For example:
start-es.sh --encryptConfiguration
When the Experience Service is started with this command line option, it rewrites the configuration.json file with encrypted versions of the sensitive parameter values. After the configuration has been encrypted, it is no longer necessary to start the Experience Service with the --encryptConfiguration option unless the sensitive information in the configuration changes and must be encrypted again.
When encrypting the configuration, the Experience Service generates a key used to encrypt and decrypt the sensitive information using the AES 256 algorithm. This key is stored in the .ves directory in the home directory of the user that started Experience Service with the --encryptConfiguration option. This key should be protected to prevent unauthorized users from decrypting the sensitive information.
When the Experience Service is restarted after the configuration has been encrypted, the Experience Service looks for the encryption key in the <home>/.ves directory of the user that is attempting to start the Experience Service. Therefore, once the configuration has been encrypted, the Experience Service must be able to retrieve the encryption key from that .ves directory.