There are three areas in Keep where encryption keys are needed:

  1. HTTPS for the Keep ports
  2. Encryption key for JWT signing
  3. Encryption key to sign requests to the IDVault

This page documents the creation of those keys, check the security page for configuration details

HTTPs certificates for Keep ports

When your server is facing the internet or you don’t have the ability to distribute custom (root) CA (certificate authorities) to your users, you should consider using a certificate from an official source, like letsencrypt. This guide will not describe the steps for that procedure. You can run Keep without encryption, however, unless you run on a container service like Kubernetes or OpenShift, where the container handles encryption, a Kitten must die when you deploy to production.

If you travel down the road of creating your own CA (certificate authority), you must:

  • Create the private key and root certificate
  • Create an intermediate key and certificate
  • Create certs for your servers
  • Convert them if necessary (e.g. for import in Java Keystors JKS)
  • Make the public key of the root and intermediate certs available
  • Import these certs in all browsers and runtimes that you will use for testing

Follow the detailed instructions and the followup

Again: Better use LetsEncrypt

Encryption key for JWT signing

Keep uses JWT for authentication. When you get started with Keep, you probably log in with a Domino username/password. Keep, out of the box, is using an ephidermal symmetric encryption key to sign requests. Since you neither get to see the key, nor share it, this is reasonable secure. A restart of Keep will use a new key.

When you want to use a key that can be deployed to an external IdP (Identity Provider) or used to send request to the IDVault service, you need to generate a public/private key pair (Never share the private key!) and configure the security settings.

Key generation is done using the OpenSSL tool, this gets you a RSA key:

ssh-keygen -t rsa -b 4096 -m PEM -f private.key
openssl rsa -in private.key -pubout -outform PEM -out public.pem

When you prefer Elliptic-curve keys (smaller, more modern), use this:

openssl ecparam -genkey -name secp521r1 -noout -out privatekey.pem
openssl ec -in privatekey.pem -pubout -out publickey.pem

The parameter -name secp521r1 defines the ES512 encryption algorythm. Don’t change that

Encryption key to sign requests to the IDVault

The needed key is an ES512 elliptic-curve as above. Keep the private key save and configure it in security. The public key needs to be imported into the IdVault. Check the documentation there.

openssl ecparam -genkey -name secp521r1 -noout -out privatekey.pem
openssl ec -in privatekey.pem -pubout -out publickey.pem