Database Secret Service
The Database Secret Service provides in-database encrypted storage of secret values. The service leverages Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) with no padding for encryption. For key derivation, it uses a Password-Based Key Derivation Function 2 (PBKDF2) algorithm with the Hash-based Message Authentication Code (HMAC) using the Secure Hash Algorithm (SHA)-256.
Configuration of the Database Secret Service is done via environment variables, typically in your Tomcat
context.xml
file. The key and respective values are described in the table below:
| Key | Value |
brightspot/cms/defaultSecretService
| The name of the default secret service. This is used in other keys below and is designated as
{name}
. |
brightspot/cms/secretService/{name}/class
|
com.psddev.cms.secret.DatabaseSecretService
|
brightspot/cms/secretService/{name}/key
| A secret key to be used for encryption. This could be any value, but should be treated as a password. |