Skip to content

Payload encryption

Generating custom private and public encryption keys

We use RSA keys in DER PKCS#8 format on both server/client sides. To generate custom encryption keys use these commands:

openssl genrsa -out rsa-private-key.pem 2048
openssl rsa -in rsa-private-key.pem -out rsa-private-key.der -outform DER
openssl rsa -in rsa-private-key.der -out rsa-public-key.der -pubout -outform DER
sudo chmod 644 rsa-private-key.der

Note: IAD Server will not be able to use the private key if read permission for "others" is not set

Using custom payload encryption key

To use a single custom encryption key, map it via volume:

docker run
    -v /path/to/custom/rsa-private-key.der:/app/encryption/rsa-private-key.der
    ...

To use multiple encryption keys, map the whole folder with *.der keys via volume. :

docker run
    -v /path/to/custom/keys:/app/encryption
    ...

In this case all the files in this folder with .der extension are used as valid private keys. The name of each file excluding the .der extension is considered the key identifier keyId. For example for test.der the keyId is test.

  • When keyId is specified on the frontend side, the server uses the corresponding private key to decrypt a message.
  • When keyId is omitted on the frontend side, rsa-private-key.der is considered the default key and is used to decrypt a message.
Embed encryption key into the image

If you need an image with the custom encryption key, you can embed it with this Dockerfile:

FROM iad-server-prod:2.0.0

COPY rsa-private-key.der /app/encryption/rsa-private-key.der

Download