unclshura/dbMango
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dbMango/Rms.Risk.Mango/wwwroot/docs/master-key.md
Alexander Shabarshov 2a7a24c9e7 Initial contribution
2025-11-03 14:43:26 +00:00

124 lines
3.8 KiB
Markdown
Raw Permalink Blame History

# Master Key Generation
dbMango uses a master key for encryption and decryption of sensitive data (passwords, connection strings).
There is no default master key; you must generate and provide your own. Master keys for different environments **MUST NOT** be the same.
This document provides instructions on how to generate a master key in the form of a `.p12`.
To generate a `.p12` (PKCS#12) key, you can use either OpenSSL or .NET tools.
When master key is generated you need to provide its path and password in the `appsettings.json` file ( See [Configuration](config.md) ):
```json
"SecuritySettings": {
"MasterKeyFileName": "test-MasterKey-encrypted.p12",
"MasterKeyPassword": "",
...
}
}
```
Note that for `Development` environment you can use a standard .NET "application secrets" approach by leaving password
blank and executing the following command in the project directory:
```sh
dotnet user-secrets set "SecuritySettings:MasterKeyPassword" "actual value"
```
For UAT and Production environments you should use a strong password. It can be loaded from Kubernetes secret or environment variable.
To load it from a secret you must specify file name in the `MasterKeyPassword` property. It should start with `#` symbol
to indicate that it is a file name, not a clear text value. For example:
```json
"SecuritySettings": {
"MasterKeyFileName": "test-MasterKey-encrypted.p12",
"MasterKeyPassword": "#/app/secrets/MasterKeyPassword",
...
}
}
```
The corresponding Kubernetes secret can be created as follows:
```sh
kubectl create secret generic MasterKeyPassword --from-literal=password=your-strong-password
```
Secret then can be mounted to the `/app/secrets` folder in the container. Here is the example of the relevant part of the deployment YAML:
```yaml
volumeMounts:
- name: secret-volume
mountPath: /app/secrets
readOnly: true
volumes:
- name: secret-volume
secret:
secretName: MasterKeyPassword
```
### Using OpenSSL
The following steps outline how to create a `.p12` file using OpenSSL:
1. Generate a Private Key
2. Create a Certificate Signing Request (CSR)
3. Generate a Self-Signed Certificate
4. Combine the Private Key and Certificate into a `.p12` file
You will be prompted to set an export password for the `.p12` file.
```sh
openssl genrsa -out private.key 2048
openssl req -new -key private.key -out request.csr
openssl x509 -req -days 365 -in request.csr -signkey private.key -out certificate.crt
openssl pkcs12 -export -out certificate.p12 -inkey private.key -in certificate.crt -name "MyCertificate"
```
### Using .NET Tools
You can use the `System.Security.Cryptography` namespace in .NET to generate a `.p12` file programmatically. Here's an example:
```csharp
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
class Program
{
static void Main()
{
// Generate RSA Key Pair
using RSA rsa = RSA.Create(2048);
// Create Certificate Request
var request = new CertificateRequest(
"CN=MyCertificate",
rsa,
HashAlgorithmName.SHA256,
RSASignaturePadding.Pkcs1);
// Self-Signed Certificate
var certificate = request.CreateSelfSigned(
DateTimeOffset.Now,
DateTimeOffset.Now.AddYears(1));
// Export to PKCS#12 (.p12)
var pfxBytes = certificate.Export(X509ContentType.Pkcs12, "export-password");
// Save to File
System.IO.File.WriteAllBytes("certificate.p12", pfxBytes);
Console.WriteLine("PKCS#12 file generated: certificate.p12");
}
}
```
- Replace `"export-password"` with your desired password.
- The `.p12` file will be saved in the application's working directory.
Reference in New Issue View Git Blame Copy Permalink