Skip to main content
Matrix42 Self-Service Help Center

Database Security

Overview

All users' sensitive data stored in the Production Database (e.g. passwords) are encrypted with the Encryption Key stored outside of the Database, which guarantees the data cannot be compromised even in a case when the Database is shared.

Database encryption has been implemented in all versions of the Matrix42 platform, but it is strongly recommended to run data re-encryption tool manually for all installations preceding 9.1.2  in order to lower the security risks and improve data protection.

Data re-encryption tool is a PowerShell script available for users with Administrator rights at %ApplicationFolder%/Config/PowerShellScripts/ReEncryptData.ps1

ReEncryptData tool particularities:

Database encryption is implemented based on the Advanced Encryption Standard, or AES.

Matrix42 installation

Reinforced sensitive data encryption is provided by default starting from the version 9.1.2.

Matrix42 system update

The database encryption mechanism is not upgraded by the regular Matrix42 system update. The ReEncryptData tool for reinforced sensitive data encryption should be run manually.

Database encryption upgrade

This section provides a step-by-step walkthrough for the database encryption upgrade with the ReEncryptData tool.

Prerequisites

To complete this walkthrough, you will need the following:

  • Matrix42 Software Asset & Service Management 9.1.1 or lower;
  • Microsoft PowerShell 4.0 or greater installed and configured on the server that hosts Matrix42 Software Asset & Service Management;
  • User with administrator rights.

Additionally, you may backup the main database (by default M42Production) and current database encryption key. This step is optional as the previously used encryption key is kept and remains operational. The same is applied for the data, as the changes consider the specific field values re-encryption and not the entire database modification. 

Encryption key 

The current database encryption key is stored in the key attribute of the configuration file:

%ApplicationFolder%/bin/securityCryptographyConfiguration.config

<?xml version="1.0" encoding="utf-8"?>
<securityCryptographyConfiguration>
  <databaseEncryption key="current_key" />
</securityCryptographyConfiguration>

The Encryption Key is an integral part of the Production database, which means they always come together. If you would like to use the Production database in another environment  (Test or Development), you need to movesecurityCryptographyConfiguration.config to this environment. 

Running data re-encryption script

Data re-encryption script is run manually as a PowerShell command by the user with Administrator rights:  

%ApplicationFolder%/Config/PowerShellScripts/ReEncryptData.ps1

clipboard_ed7518e14d4abef6718ace1367596f471.png

The script requires database access credentials:

clipboard_e751ff74c900b97c7b11dd266fcd588b0.png

Successfully run data re-encryption script:

clipboard_ea873f465945c0835dcbdb7feed9bab45.png

First run

The first run of the data re-encryption script generates the new database encryption key and stores the previously used one:

%ApplicationFolder%/bin/securityCryptographyConfiguration.json

<?xml version="1.0" encoding="utf-8"?>
<securityCryptographyConfiguration>
  <databaseEncryption key="NewKey" key0="PreviousKey" />
</securityCryptographyConfiguration>

The new encryption mechanism is backward compatible and supports the data encrypted with the outdated encryption key.

All values listed in the data re-encryption script are encrypted with the new key and get a "1 " prefix assigned to the encrypted value:

Password UserId
1 JDJKZnatxMp1m751 123
1 CfmbmZdhgjwc3csd 124
1 sfgAfhmLfgvx4dmpf 125

Data from the fields that were encrypted with the previously used key and were not added to the list of the re-encrypted fields are still operational, as the previous encryption key is kept by default.

The candidate-fields missed during the first run of the script can be included in the PowerShell script manually, and re-encrypted with the new key during the subsequent run of the %ApplicationFolder%/Config/PowerShellScripts/ReEncryptData.ps1 

Extending encryption data set

ReEncryptData tool re-encrypts the default system data.  This change is applied to the standard attributes of the provided by default Data Definitions and re-encrypts mainly passwords for accessing third-party systems like e-mail server or Active Directory account credentials. The complete list of the re-encrypted data is available in the ReEncryptData tool.

Any custom fields that store encrypted data (passwords, user credentials, or any other sensitive data) that should be re-encrypted must be added to the list of default system data. The changes can be added to the ReEncryptData tool as follows:

%ApplicationFolder%/Config/PowerShellScripts/ReEncryptData.ps1

 @{
     Name = "DataDefinitionName"
     Columns = @("CustomColumnName")              # syntax for the single column update
  },
 @{
     Name = "CustomDataDefinitionName"
     Columns = @("Column1", "Column2", "Column3") # data re-encryption example for multiple attributes of the same Data Definition  
  },

Subsequent runs

All subsequent runs can be performed manually and are required if the custom fields were manually added to the standard list of encrypted fields.

Data re-encryption script particularities during the subsequent runs:

  • the new encryption key is not generated. The data encryption uses the current key value from the %ApplicationFolder%/bin/securityCryptographyConfiguration.json;
  • re-encrypting all necessary values without the  ''1 " prefix with the current encryption key, assigning "1 " prefix accordingly;

  • automatically restarting Martix42 services.

  • Was this article helpful?