System Database Encryption

User passwords are stored encrypted in the system database. Passwords of Axon.ivy users are hashed by using the bcrypt algorithm.

Passwords of technical users that are used to communicate with external systems are encrypted using the AES algorithm. The secret key for the AES algorithm is by default created automatically by using a secure random generator. However, it is possible to provide an own secret key as follows:

1. Create your own AES secret key and store it in a key store file by using the Java keytool:

   keytool -genseckey -alias aes -keyalg AES -keysize 128 -storepass changeit -storetype JCEKS -keystore keystore.jceks
   

2. Configure the following Java system properties in the launcher configuration:

   ch.ivyteam.ivy.persistence.keystore.file

   The path to the key store that holds the AES secret key. E.g. keystore.jceks

   ch.ivyteam.ivy.persistence.keystore.password

   The password needed to read the key store file. Default changeit

   ch.ivyteam.ivy.persistence.keystore.alias

   The name of the key to read from the key store file. Default aes

   ch.ivyteam.ivy.persistence.keystore.type

   The type of the key store. Default JCEKS

Warning

If you configure an own AES secret key after you have already stored technical passwords for external system then those passwords can no longer be decrypted and are useless. You have to reconfigure all those passwords again!