encryptionwebsphere-libertyopen-liberty

Can you encrypt regular variables in IBM/Open Liberty using securityUtility?


Liberty allows us to encode/encrypt password data. However, is this only for designated Liberty password fields? Or would Liberty automatically decrypt my custom variable if the value was an encrypted {aes} value generated by securityUtility?

Example:

<variable name="my.sensitive.var" value="{aes}blAhBlahAblah" />

Solution

  • You can encode/encrypt variable values and substitute them for password fields in the config or use them in your application, where you'll need to decrypt them using the Password Utilities feature's APIs.

    However, you can't use the encoded/encrypted values for other things in the config that are not marked as ibm:type="password" in the metadata. For example:

       <variable name="thisWillWork" value="{aes}APaWnx/wThHwqThFdjUparDSMKJZV9KnPY5OPfSE5y0F" />
       <variable name="thisWillNotWork" value="{aes}APaWnx/wThHwqThFdjUparDSMKJZV9KnPY5OPfSE5y0F" />
       <basicRegistry id="basic">
          <user name="${thisWillNotWork}" password="${thisWillWork}" />
       </basicRegistry>
    

    For more information regarding using encrypted/encoded values in your app, take a look at this stackoverflow question: Decode AES encryption in web application in IBM Liberty server