How to setup an encrypted server
We are happy to announce a new Plastic SCM feature that allows configuring a server with encrypted data.
It means that, in your organization, you can configure a central server where all the data is encrypted. This way, the users who have a specific key, will be able to push/pull data to this server.
It is important to remark that this server is created for replication purposes only. Repositories have all data encrypted. If we directly download the file content to a workspace, we will only see empty files (the data is encrypted).
This configuration could be very useful when your server is accessible from a public network or you just need to be sure that even if a not authorized person access to your server, he will not be able get any information.
The encryption mechanism is configured using a cryptedservers.conf file. This file contains two fields: The encryption server (address:port) and the key file.
This way, when a replication is performed, if the remote server is included in the cryptedservers.conf file, the data will be encrypted if it’s a push operation or decrypted if it’s a pull operation.
The key will be only stored in the developer´s server. So a person accessing to the encryption server cannot get any information from it unless he also has the encryption file.
Encryption key file
Let´s review how to write your custom encryption key file. This file will be necessary if you want to push/pull content to the central encryption server.
The encryption key file has two fields: the encryption method and the password and both are defined by the user.
The supported encryption methods are: AES128, AES192 and AES256. The user can select the encryption method based on his needs: more security, speed…
The password could be plain text or it could be cyphered as any other password in Plastic using the cm crypt command.
These encrypted servers are configured for replication operations (push/pull). If you try to perform other operations, you will see empty files (because it´s actually encrypted in the database).
It´s also important to notice that the "key file" will be always required to crypt and decrypt the data (push/pull), so don't loose it or you won´t be able to recover the data.