Introduction / FirstSpirit Server configuration / Additional security measures / Repository encryption

Repository encryption

FirstSpirit uses repositories to maintain version histories of project data. The repository is a central location for managing the file structures required by the content management system (media, pages, templates, etc.). There is a separate repository for each project. Data is written to the repository whenever an action is performed in FirstSpirit (e.g. when elements are created, edited or deleted).

Repository files (structures, content, media) can be saved in an encrypted format. This involves performing the following steps:

  1. Create a global key file for the FirstSpirit Server                                          
  2. Configure encryption on the server – the minimum requirement for encryption is that the repository.encryption.keyFilePath parameter                           
    must be configured (see Storage Engine Properties)
  3. Configure project-specific encryption           
    (see Repository)
  4. Perform encryption/decryption

The actual encryption process is handled by the Java Cryptography Extension (JCE). All symmetric encryptions and modes supported by the relevant Java platform are possible. This depends on which Java version is used and whether “Unlimited Strength Jurisdiction Policy Files” (see http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html) are installed.
See also page “Area: Storage Engine Properties”, parameter repository.encryption.algorithm and repository.encryption.keySize.

Creating the key file

The first step is to create a key file using a key of your choice. This global server key must be at least eight bytes long. The content of the specified file must be encoded in UTF-8. White spaces at the beginning and end of the file are ignored.

The file must be saved in a suitable location.

Important Access to the global server key file should be properly secured to prevent unauthorized persons from accessing the repository contents. At the same time, this means that if the key file is damaged or lost, it will no longer be possible to access the contents of the repository.

The path to the key file must be stored in fs-server.conf (for information on configuration, see Storage Engine Properties). Only then can encryption of the FirstSpirit project repositories be enabled in the project settings.

Performing encryption/decryption

If you enable the “Encryption enabled” option for the project (see Repository) and confirm your choice by pressing OK, encryption of the data commences in accordance with the desired settings. The relevant project is deactivated during the process. Given that encryption can take a little while, it should only be performed during a maintenance period. 

If you deactivate the “Encryption enabled” option and confirm your choice by pressing OK, the data for the relevant project is decrypted using a similar process to the one described above.

Important The encryption/decryption process must not be interrupted because this can result in an undefined project state.                       

If changes are required (e.g. due to a system failure during encryption), please contact https://help.e-spirit.com/.

© 2005 - 2022 Crownpeak Technology GmbH | All rights reserved. | FirstSpirit 2023.1 | Data privacy