This is documentation for Apprenda 7 and 8.
Documentation for older versions are also available.

Encryption and Key Management for Platform Secrets (Platform version 7.2.0 and later)

Symmetric and Asymmetric Cryptography for Secrets

Symmetric key cryptography allows for performant encryption and decryption operations of data of varying sizes. This makes it ideal for securing secret values or secrets like passwords, keys, and tokens. A drawback to symmetric key cryptography, however, is that every value is encrypted or decrypted using a shared key. If an attacker were to compromise the shared key, they would be able to encrypt and decrypt all secrets it protects.

Conversely, asymmetric cryptography does not provide the same performance and has limitations on the size of the data that a key pair can encrypt compared to symmetric key. One major advantage asymmetric cryptography can provide is an extra layer of authentication to symmetric cryptography by using a randomly generated key pair to secure the shared secret. Using this combination of cryptographic systems, an attacker would need multiple, disparate keys to unlock secrets.

Cryptography on the Platform for Secrets

The Apprenda Cloud Platform takes advantage of both symmetric and asymmetric cryptography to secure Platform secrets at-rest and in-transit. At install time, the Platform uses the Bouncy Castle Crypto APIs to generate a RSA 2048-bit key pair. This constitutes a PKCS 12 (PFIX) file archive that contains a X.509 certificate, containing a public key, and a corresponding private key. Using the key pair, the Platform then generates and encrypts a unique AES 256-bit symmetric key, which is for the encryption and decryption of Platform secrets.

Platform secrets are stored in a few locations within the Platform. Most are stored in Platform Databases, but some are stored in the Platform Cache, Windows Registry, Environment Descriptor files, Environment Switcher file, and Linux config files. Only the Apprenda Administrator account, Windows Local System/Service accounts, the Linux root user, and the Linux apprendaLogStash user have access to the private key, which prevents guest applications from gaining unauthorized access to Platform secrets.