Configuration Guide › Security and Permissions › How To Enable FIPS 140-2 Encryption › Key Storage for FIPS-Compliant Encrpytion

Key Storage for FIPS-Compliant Encrpytion

A common issue in FIPS compliance is protection of the private key that is used for encryption. Software secured modules cannot protect the private key from someone who has root access to the system.

CA GovernanceMinder can support hardware-based key storage. However, implementation details differ for each hardware solution and cannot be described here.

The product supports the following software-based methods of key handling. Some provide adequate security for enterprise environments.

• Embedded key—by default the product uses an internal embedded key. The key is retrieved by calling the following Java class:

  com.eurekify.security.SimplePassPhraseGetter

  Use of this Java class ensures that the key is not stored in clear text. This method is not FIPS-compliant.

• Key in File—use this method when you require a customizable password. The password is stored in a text file named password.txt which is placed under the following directory:

  gm_install\Server\eurekify-jboss\conf
  

  Note: gm_install is the CA GovernanceMinder installation directory.

  The following Java class is used to retrieve the passphrase:

  com.eurekify.security.FilePassPhraseGetter

  The customer is responsible to secure the text file. This method is not FIPS-compliant.

• Custom Passphrase Provider—to support other solutions for key storage, you can implement a customized Java class. Your Java class must implement the following interface:

  package com.eurekify.security;
  public interface PassPhraseGetter {
  /**
   * @return the passphrase used for the symmetric encryption
   */
  public String getPassPhrase();
  }
  

You specify one of the previous options by setting the passphrase.getter.class parameter when you configure FIPS encryption.