Payload encryption¶
Generating custom private and public encryption keys¶
We use RSA keys in DER PKCS#8 format on both server/client sides. To generate custom encryption keys use these commands:
openssl genrsa -out rsa-private-key.pem 2048
openssl rsa -in rsa-private-key.pem -out rsa-private-key.der -outform DER
openssl rsa -in rsa-private-key.der -out rsa-public-key.der -pubout -outform DER
sudo chmod 644 rsa-private-key.der
Note: IAD Server will not be able to use the private key if read permission for "others" is not set
Using custom payload encryption key¶
To use a single custom encryption key, map it via volume:
docker run
-v /path/to/custom/rsa-private-key.der:/app/encryption/rsa-private-key.der
...
To use multiple encryption keys, map the whole folder with *.der keys via volume. :
docker run
-v /path/to/custom/keys:/app/encryption
...
In this case all the files in this folder with .der extension are used as valid private keys. The name of each file excluding the .der extension is considered the key identifier keyId
. For example for test.der
the keyId
is test
.
- When
keyId
is specified on the frontend side, the server uses the corresponding private key to decrypt a message. - When
keyId
is omitted on the frontend side,rsa-private-key.der
is considered the default key and is used to decrypt a message.
Embed encryption key into the image
If you need an image with the custom encryption key, you can embed it with this Dockerfile: