Encryption Setup on Wildfly with Elytron

This guide covers two methods for setting up encryption on your Wildfly platform using Elytron

 


To set up encryption, you need to follow these two steps:

1. Initialize credential store

You can initialize the credential store using one of the following two methods:

a) Automatic Setup During Encryption

Navigate to the Administration section in the frontend and select Encryption. As long as the encryption setup has not been completed, any attempt to encrypt a string will prompt a confirmation box indicating that the setup is incomplete. By pressing OK, the system will automatically finalize the encryption setup.

b) True CLI Method

This method is useful if you require encryption prior to deploying your application, such as for encrypting database passwords.

To begin, launch the server in admin-only mode

On Linux/macOS:

./standalone.sh --admin-only

On Windows machine:

standalone.bat --admin-only

In the new terminal run jboss-cli:

On Linux/macOS:

./jboss-cli.sh -c

On Windows:

 

Once the CLI is running and connected follow these steps:

1. Remove the initial setup for the credential store and expression resolver

Run the following command in the Wildfly CLI :

2. Create the Secret Key Credential Store

Run the following command in the Wildfly CLI to create the secret key store:

This command creates the tim_store_secret.cs file in the WILDFLY_HOME/standalone/configuration folder.

2. Export the Secret Key

Generate a random secret key by running this command:

This will save the generated secret key to the tim_store_secret.cs file located in WILDFLY_HOME/standalone/configuration/.

3. Add the Encryption Resolver

Add the encryption resolver by running:

4. Set the Default Resolver

To register the resolver as the default (so that it’s not visible in the encrypted strings), execute:

5. Reload configuration

6. Run the Encryption Command

To encrypt any clear-text string, use:

7. Reload the server and set main-only to false

After configuring encryption and applying the encrypted values in the standalone configuration, you must reload the server. Additionally, ensure that the admin-only setting is set to false to allow the deployment of your EAR file to proceed.

 

2. Reuse Secret Key in Multiple Server Instances

If you are operating a multi-server setup sharing the same database, it is mandatory that once a secret key is generated on one server instance, it should be reused on all other server instances. This ensures consistency across the entire platform and prevents issues related to mismatched keys.