Custom Encryption in PAM360

By default, PAM360 secures all passwords and sensitive information within the PAM360 vault using the AES-256 symmetric encryption algorithm, storing only the encrypted data in the database. A master encryption key, unique to each installation, is auto-generated, and the entire encryption and decryption processes occur within the PAM360 class file, including key generation and encryption logic. Thus, the complete data encryption and decryption lifecycle takes place within PAM360.

In addition to the default encryption method, PAM360 supports custom encryption, which allows you to customize the encryption and decryption methods. You can achieve this by implementing the PMPEncryptDecrypt Java interface with setter and getter methods, where you can use your encryption key and logic. Thus, PAM360 provides greater flexibility and control over securing your data.

Important Note: Before configuring custom encryption, take a complete backup of the PAM360 folder and the pam360_key.key file. If the database server is hosted on a different machine, copy the entire PAM360 database. This precautionary step is crucial to avoid potential data loss in case of issues during the configuration process.

The following topics are covered in this document:

Personal Password Management
Steps to Implement Custom Encryption in PAM360

1. Personal Password Management

If you or other users in your organization have utilized the 'Personal Password Management' feature in PAM360 with the option of specifying a personal encryption key (which is not stored in PAM360), be aware that configuring custom encryption will result in the loss of data stored in the personal passwords tab, and it will not be retrievable later. Therefore, users should be advised to use the 'Export Passwords' option within the personal passwords section before proceeding with the custom encryption configuration.

2. Steps to Implement Custom Encryption in PAM360

To implement custom encryption in an existing PAM360 installation, you should write an implementation class for your own encryption logic and execute it. The implementation steps are as detailed below:

Write your implementation class.

Create a class that implements the PMPEncryptDecrypt.java interface to define your custom encryption and decryption logic.
Refer to this document for more details.

Notes:

The generateCryptographicKey() method in the class should generate and return a new 32-bit key whenever called, while the getPmp32BitKey() method should return the last generated 32-bit key.
The getMSSQLMasterKey() should return the database master encryption key used while setting up the MSSQL Always-On cluster as the backend database. Switch-over operations for cluster-level nodes will not be handled if the return value is null or an empty string.

Notes:

(Applicable from PAM360 Builds 8000 and above only)

Ensure the getMSSQLMasterKey() method is properly implemented. The key returned by this method will be stored in the <PAM360-Installation-Directory>/conf/masterkey.key file and will be used for encryption.
A few existing methods have been deprecated and will soon be unavailable. Additionally, new methods have been introduced to enhance the overall security and encryption handling in PAM360.

Archive your implementation class.

Convert your implementation class into a .jar file (e.g., SampleEncryption.jar).
Move the .jar file to the <PAM360-Installation-Directory>/lib folder.

Stop the PAM360 service before proceeding to the next step.
Execute the Migrate Cryptography script.

Scenario 1: High Availability/Failover Service not Configured

Execute the MigrateCryptography.bat script in the <PAM360-Installation-Directory>\bin folder and pass your implementation class as an argument.
Script Usage: MigrateCryptography.bat com.org.crypto.SampleEncryptDecrypt

Scenario 2: High Availability/Failover Service Configured

Stop and uninstall the secondary server.
Configure custom encryption on the primary server by executing MigrateCryptography.bat.
Install a fresh secondary instance of PAM360.
Reconfigure the High Availability/Failover service. The HAPack.zip or FOSPack.zip will contain the custom encryption jar.

Add custom encryption to the pmped.conf file.

Open the pmped.conf file located inside the <PAM360-Installation-Directory>/conf folder.
Locate the EDCLASS entry in the file and add an entry next to it as specified below.

EDCLASS=com.adventnet.passtrix.ed.PMPEncryptDecryptImpl EDJARS=MyOwnEncDecImpl1.jar,MyOwnEncDecImpl2.jar
Here, MyOwnEncDecImpl1.jar and MyOwnEncDecImpl2.jar are sample cryptography jars. Rename your jar files as required and specify one or more jars in a comma-separated format.

If you are using third-party jars, list them first, followed by your implementation class.

Start the PAM360 server.


Custom Encryption in PAM360 By default, PAM360 secures all passwords and sensitive information within the PAM360 vault using the AES-256 symmetric encryption algorithm, storing only the encrypted data in the database. A master encryption key, unique to each installation, is auto-generated, and the entire encryption and decryption processes occur within the PAM360 class file, including key generation and encryption logic. Thus, the complete data encryption and decryption lifecycle takes place within PAM360. In addition to the default encryption method, PAM360 supports custom encryption, which allows you to customize the encryption and decryption methods. You can achieve this by implementing the PMPEncryptDecrypt Java interface with setter and getter methods, where you can use your encryption key and logic. Thus, PAM360 provides greater flexibility and control over securing your data. Important Note: Before configuring custom encryption, take a complete backup of the PAM360 folder and the pam360_key.key file. If the database server is hosted on a different machine, copy the entire PAM360 database. This precautionary step is crucial to avoid potential data loss in case of issues during the configuration process. The following topics are covered in this document: Personal Password Management Steps to Implement Custom Encryption in PAM360 1. Personal Password Management If you or other users in your organization have utilized the 'Personal Password Management' feature in PAM360 with the option of specifying a personal encryption key (which is not stored in PAM360), be aware that configuring custom encryption will result in the loss of data stored in the personal passwords tab, and it will not be retrievable later. Therefore, users should be advised to use the 'Export Passwords' option within the personal passwords section before proceeding with the custom encryption configuration. 2. Steps to Implement Custom Encryption in PAM360 To implement custom encryption in an existing PAM360 installation, you should write an implementation class for your own encryption logic and execute it. The implementation steps are as detailed below: Write your implementation class. Create a class that implements the PMPEncryptDecrypt.java interface to define your custom encryption and decryption logic. Refer to this document for more details. Notes: The generateCryptographicKey() method in the class should generate and return a new 32-bit key whenever called, while the getPmp32BitKey() method should return the last generated 32-bit key. The getMSSQLMasterKey() should return the database master encryption key used while setting up the MSSQL Always-On cluster as the backend database. Switch-over operations for cluster-level nodes will not be handled if the return value is null or an empty string. Notes: (Applicable from PAM360 Builds 8000 and above only) Ensure the getMSSQLMasterKey() method is properly implemented. The key returned by this method will be stored in the <PAM360-Installation-Directory>/conf/masterkey.key file and will be used for encryption. A few existing methods have been deprecated and will soon be unavailable. Additionally, new methods have been introduced to enhance the overall security and encryption handling in PAM360. Archive your implementation class. Convert your implementation class into a .jar file (e.g., SampleEncryption.jar). Move the .jar file to the <PAM360-Installation-Directory>/lib folder. Stop the PAM360 service before proceeding to the next step. Execute the Migrate Cryptography script. Scenario 1: High Availability/Failover Service not Configured Execute the MigrateCryptography.bat script in the <PAM360-Installation-Directory>\bin folder and pass your implementation class as an argument. Script Usage: MigrateCryptography.bat com.org.crypto.SampleEncryptDecrypt Scenario 2: High Availability/Failover Service Configured Stop and uninstall the secondary server. Configure custom encryption on the primary server by executing MigrateCryptography.bat. Install a fresh secondary instance of PAM360. Reconfigure the High Availability/Failover service. The HAPack.zip or FOSPack.zip will contain the custom encryption jar. Add custom encryption to the pmped.conf file. Open the pmped.conf file located inside the <PAM360-Installation-Directory>/conf folder. Locate the EDCLASS entry in the file and add an entry next to it as specified below. EDCLASS=com.adventnet.passtrix.ed.PMPEncryptDecryptImpl EDJARS=MyOwnEncDecImpl1.jar,MyOwnEncDecImpl2.jar Here, MyOwnEncDecImpl1.jar and MyOwnEncDecImpl2.jar are sample cryptography jars. Rename your jar files as required and specify one or more jars in a comma-separated format. If you are using third-party jars, list them first, followed by your implementation class. Start the PAM360 server.