Deployment Manual / Version 2401
Table Of Contents
Before you can use the keystore based encryption service, you have to create a keystore file using the Java
keytool
command. The keystore will contain the keys used for encryption and decryption. On the command prompt type:
keytool -genkeypair -keyalg RSA -keystore <KEYSTORE_FILENAME> -storepass <KEYSTORE_PASSWORD> -alias <KEY_ALIAS> -keypass <KEY_PASSWORD>
For secure usage at command line, it is not recommended to provide passwords
directly on the command line. Use the secure input by not presenting a value for the password options.
The keytool
will prompt for secure password input.
For details, see the documentation of keytool
.
Certain keystore types require identical passwords for the keystore and key.
You will get an appropriate warning when generating the key in this case.
Note
For the above-mentioned command, the generated PKCS12 KeyStore needs to have the same
KEY_PASSWORD
and KEYSTORE_PASSWORD
.
The keytool
will prompt you for your username, organizational unit, organization, city,
state/province and country code.
This information (which goes into your self-signed certificate) is not relevant for the keystore to work properly.
The resulting key/certificate will be valid for 90 days unless you specify another validity duration using the
validity
option.
Note that you have to update the stored encrypted values when your keypair changes.
Chose your keystore validity carefully.
The next step is to configure the keystore encryption service. This is described in the following sections. The recommended way is to use the Spring Boot configuration properties.