From 4782f388c20d565d47b7b7e6444924246f82751b Mon Sep 17 00:00:00 2001 From: David Mueller Date: Wed, 6 Nov 2024 11:58:59 -0500 Subject: [PATCH] change AES encryption #7651 --- modules/ROOT/pages/password-encryption.adoc | 4 +++- modules/reference/pages/command/securityUtility-encode.adoc | 5 ++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/modules/ROOT/pages/password-encryption.adoc b/modules/ROOT/pages/password-encryption.adoc index f4a54c3911..1bb0d5325b 100644 --- a/modules/ROOT/pages/password-encryption.adoc +++ b/modules/ROOT/pages/password-encryption.adoc @@ -16,7 +16,9 @@ = Password encryption limitations Open Liberty supports the Advanced Encryption Standard (AES) encryption for passwords that are stored in the `server.xml` file. -When you use this option for protecting passwords in the Open Liberty configuration, understand the limitations to the protection that AES encryption provides. Currently, Open Liberty supports AES-128 encryption. +When you use this option for protecting passwords in the Open Liberty configuration, understand the limitations to the protection that AES encryption provides. + +The Open Liberty `securityUtility encode` command uses AES-256 encryption when the `--encoding` option is set to `aes`. The default value for this option is `xor`. For AES decryption, Open Liberty supports both AES-128 and AES-256. Encrypting a password in the Open Liberty configuration does not guarantee that the password is secure or protected. Encrypting a password means that someone who can see the encrypted password cannot easily recover the password unless they know the encryption key. diff --git a/modules/reference/pages/command/securityUtility-encode.adoc b/modules/reference/pages/command/securityUtility-encode.adoc index 951b7664fb..5cbdd2243e 100644 --- a/modules/reference/pages/command/securityUtility-encode.adoc +++ b/modules/reference/pages/command/securityUtility-encode.adoc @@ -60,11 +60,10 @@ securityUtility encode [options] |--encoding=_encoding_type_ |Specifies how to encode the password. Supported encodings types are `xor`, `aes`, and `hash`. -If this option isn't specified, a default encoding type of `xor` is used. Currently, the `aes` type uses AES-128 encryption. +If this option isn't specified, a default encoding type of `xor` is used. The `aes` type uses AES-256 encryption. {empty} + {empty} + -You can use the `hash` encoding type to encode passwords for a xref:ROOT:user-registries-application-security.adoc[basic user registry]. -As of version 19.0.0.2, you can also use the `hash` encoding type to encode passwords for the xref:config/quickStartSecurity.adoc[quickStartSecurity element]. +You can use the `hash` encoding type to encode passwords for a xref:ROOT:user-registries-application-security.adoc[basic user registry] or passwords for the xref:config/quickStartSecurity.adoc[quickStartSecurity element]. |--key=_encryption_key_ |Specifies the key to use when you encode with AES encryption.