How to Use Custom Cryptography (Encryption and Decryption) in Password Manager Pro?
(Feature available only in Enterprise Edition)
By default, Password Manager Pro encrypts all passwords and other sensitive information using AES-256 symmetrical encryption algorithm and store only these encrypted data into the password database. The master encryption key is auto-generated and is unique for every installation. In this scenario, the entire encrypt and decrypt methods will reside inside the Password Manager Pro class file. Hence, both the key-generation and encryption logic were handled by Password Manager Pro.
Apart from the default cryptography technique, Password Manager Pro now provides an option to use custom cryptography i.e., the encrypt & decrypt methods can now be customized by implementing our Java interface 'PMPEncryptDecrypt' with setter and getter methods, where you can use your own key and encryption logic.
Important Note: Before configuring custom cryptography, take a backup of the Password Manager Pro folder. If the database server is configured in a different machine, ensure that you take a copy of the entire Password Manager Pro database as well. This will avoid data loss, if anything goes wrong during the configuration process. Also, please take necessary precaution with regard to the following aspect:
Personal Password Management
In case, you / other users in your organization have used 'Personal Password Managerement' in Password Manager Pro with the option of specifying own encryption key, which is NOT stored in Password Manager Pro, those data will eventually be lost when you configure custom cryptography and cannot be retrieved later. Therefore, users will have to be advised to use the 'Export Passwords' option in the personal passwords section before configuration.
Steps to implement custom cryptography in an existing Password Manager Pro installation
A brief summary of the steps to configure custom cryptography in Password Manager Pro include writing an implementation class to run your own encryption logic and executing it. Here are the steps in detail:
Step 1: Write your own implementation class
You need to first write your own class implementing the interface PMPEncryptDecrypt.java as explained below.
Please refer to the javadoc for interface PMPEncryptDecrypt for more details.
Notes:
- generateCryptographicKey() method in the class should generate and return a new 32bit key whenever called while getPmp32BitKey() should return the last generated 32bit key, whenever called.
- getMSSQLMasterKey() should return the database master encryption key, that will be used while setting up the MSSQL Always-On cluster as backend. If the return value is null or empty-string, then cluster level nodes' switch-over operations will not be handled.
Step 2: Archive your implementation class
Now, convert your implementation class as SampleEncryption.jar and move it to <PMP-Installation Folder>/lib directory.
Step 3: Stop Password Manager Pro server
Stop the server of Password Manager Pro if it is running.
Step 4: Execute the Migrate Cryptography script
Scenario 1: High Availability/Failover Service is not configured
Execute the MigrateCryptography.bat script available in <PMP_HOME>\bin folder and pass your implementation class as argument.
Script Usage :- MigrateCryptography.bat com.org.crypto.SampleEncryptDecrypt
Scenario 2: In case of High-Availability/Failover Service being configured
Here are the steps to be followed for to execute the script if High Availability or Failover Service has been configured in Password Manager Pro:
- Stop and uninstall secondary server.
- Configure custom cryptography in Primary by executing migrateCryptography.bat
- Next, install a fresh secondary instance of Password Manager Pro.
- Now, reconfigure High Availability/ Failover service. The HAPack.zip or FOSPack.zip will contain the custom encryption jar.
Step 5: Add Custom Cryptography to PMPED File
After executing the script, open the file ‘pmped.conf’ present inside <PMP-Home>/conf folder. In the file, look for EDCLASS and add an entry next to it as specified
EDCLASS=com.adventnet.passtrix.ed.PMPEncryptDecryptImpl
EDJARS=MyOwnEncDecImpl1.jar,MyOwnEncDecImpl2.jar
In the above entry, MyOwnEncDecImpl1.jar,MyOwnEncDecImpl2.jar are sample cryptography jars. Rename your jar files as required and specify one or more jars in a comma separated format. In case, you are using third party jars, then specify that first followed by your implementation class.
Step 6: Start Password Manager Pro server
After completing the above steps, you need to start Password Manager Pro to give effect to this implementation.