[CryptoAPI] What happens to encrypted content when OS Platform key is changed

[CryptoAPI] What happens to encrypted content when OS Platform key is changed

Forge Component
Published on 2015-11-29 by Ricardo Silva
4 votes
Published on 2015-11-29 by Ricardo Silva

We are using the platform key to encrypt/decrypt site properties.
We use KEncrypt and KDecrypt.
The question is….what happens if outSystems changes the Platform Key?
Will KDecrypt fail decrypting the Site Property because the key that was used to encrypt was changed?
If so that would be bad. I wonder how we could decrypt anything after outSystems installs a new Platform Key. We don’t keep the old Platform key.
Also it would be a lot of work to decrypt everything using the old key and encrypt using the new key.
What’s your suggestion?
Hi there Fabian,

TL;DR: don't worry about it. Just keep a backup of the private.key file.

First of all, yes. If the key used to encrypt your site properties should ever be deleted, you would not be able to recover the data encrypted by it. Decryption would simply fail.

However, the OutSystems Private Key used by Crypto API is the same key mentioned in this post for storage of confidential settings. I would like to note one thing, this key is not OutSystem's. It's not the same key for every OutSystems installation. It's a private key used ONLY on your environment.

The key is yours, so OutSystems will not change it. Updating or upgrading the OutSystems Platform is not expected to change the key.

If you have any disaster recovery plan, for instance, you should keep a backup of this key otherwise any configuration of the OutSystems Platform protected by it will be lost and need to be redone (for example, email passwords, database connection configurations).

Since you are using it on your application, you should keep a backup of it.

In any case, you pose another interesting question. You want to be able to change the "key" without having to re-encrypt everything you encrypted with it. One thing you can do to achieve this is to simply encrypt the key used to encrypt your site properties.

This is a technique commonly used to secure large amounts of data with a password. Instead of encrypting stuff with the key generated by the password (K1), you encrypt a randomly generated key (K2) with K1. Then all you need to do when you want to change the password is re-encrypt K2 with the key generated by the new password.

You could use a similar technique here, by encrypting your own randomly generated key with the OutSystems Platform's private key for your environment. However I don't see a need for this in your case. You would only change the OutSystems Platform private key if it ever were compromised, and in that case you should always change all the keys protected by that key.

Sorry if I ended up making this a bit more confusing, but key storage is a really tough problem :)

Please let me know if anything wasn't clear.
Hi Ricardo 

Great information. Thank you so much. 

Where is the platform key stored on the server?

Thank you.
It's on the platform folder. Usually C:\Program Files\OutSystems\Platform Server\private.key