Filesystem secret stores
A filesystem secret store maps to a directory storing an arbitrary number of files that each contain one secret. When filesystem secret stores are used, IDM reads the contents of a file with a name matching the secretId field in the secret store’s mapping list.
Filesystem secret stores are useful to provide secrets from third-party secret stores like AWS Secrets Manager or Google Secrets Manager. They can also be used to separate your secrets from your configuration files.
Filesystem secret stores may be encoded with the following encoding schemes:
-
PLAIN
-
PEM
-
BASE64
-
BASE64URL
The following configuration is an example of a filesystem secret store which is configured to use the /secrets directory and contains a mapping for the idm.admin.password secret:
{
"name":"secretVolume",
"class": "org.forgerock.openidm.secrets.config.FileSystemStore",
"config": {
"format": "PLAIN",
"directory": "&{idm.install.dir}/secrets",
"mappings": [
{
"secretId": "idm.admin.password",
"types": [
"GENERIC"
]
}
]
}
}Configuring automatic encryption
You can add automatic encryption to the filesystem secret store by adding the encryptionKey field. The following example demonstrates encrypting the Prometheus password with the idm.default encryption key:
{
"name": "fileSystemStore",
"class": "org.forgerock.openidm.secrets.config.FileSystemStore",
"config": {
"directory": "&{idm.install.dir}/secrets",
"format": "PLAIN",
"encryptionKey": "idm.default",
"mappings": [
{
"secretId": "idm.prometheus.password",
"types": [
"GENERIC"
]
}
]
}
}By default, IDM uses AES Key Wrap with a 128-bit key for JWT key management and AES_128_CBC_HMAC_SHA_256 for content encryption. These can be configured by setting the encryptionAlgorithm and encryptionMethod fields on the store config respectively.
Example: Create a new user type
The following example creates a new type of static user, openidm-super, with a new secret, idm.super.password, kept in the filesystem secret store. To configure the user:
-
In
conf/authentication.json, add the following new user configuration:{ "name": "STATIC_USER", "properties": { "queryOnResource": "internal/user", "username": "openidm-super", "password": { "$purpose": { "name": "idm.super.password" } }, "defaultUserRoles": [ "internal/role/openidm-authorized", "internal/role/openidm-admin" ], "enabled": true } } -
In
conf/secrets.json, add a new mapping for theidm.super.passwordsecret:{ "secretId": "idm.super.password", "format": "PLAIN", "types": [ "GENERIC" ] }Only use the optional formatparameter if the secret is encoded using a different scheme than the rest of the secret volume. -
In the directory that you’ve configured to be your filesystem secret store, create a file named
idm.super.passwordand populate it with your secret data.
Configuring purpose versions
The filesystem secret store supports multiple versions of the same purpose. To configure this, specify the versionSuffix property in the store’s definition in conf/secrets.json. The following example adds the .v suffix to a purpose called idm.pem.purpose:
{
"name": "pemStore",
"class": "org.forgerock.openidm.secrets.config.FileSystemStore",
"config": {
"format": "PEM",
"directory": "&{idm.install.dir}/secrets",
"versionSuffix": ".v",
"mappings": [
{
"secretId": "idm.pem.purpose",
"types": [
"ENCRYPT",
"DECRYPT"
]
}
]
}
}Once versionSuffix is defined, you can version your purpose files by adding it to the file name. Following the example above, the files could be named idm.pem.purpose.v1, idm.pem.purpose.v2, and so on. The highest version number is the active secret.