Encrypt old content after Encryption activation

pajumbo · ‎14 Nov 2019

Hello to all,

I have enabled encryption with the add-on component https://github.com/Acosix/alfresco-simple-content-stores.

now I have to encrypt all the old content in Alfresco before encryption activation.

I've understand that is needed an external program to do this.

someone made it before?

Is there a way to replace the contents of a document without recreating the whole document?

Is there a way to replace the contents of a document without recreating the whole document, but by encrypting its content?

I had done tests with the REST services:

using put / nodes / {nodeId} / content, create a new version. and deleting the old version (delete / nodes / {nodeId} / version / {versionId}) the old content file (bin file) remains in the file system.
Am I doing something wrong? will the old content be deleted after a defined time? something like orphaned documents or is there a way to force the elimination?
thank you.

jljwoznica · ‎21 Nov 2019

The most common way I have seen thid done is install a new instance of whatever ACS version they are on and mirror the previous install in terms of customizations, etc, then enable encryption and then migrate the old data into this new install.

The other option is programmatically which I know has been done by Alfresco Professional Services. I cannot confirm your code approach for you, however. I will continue to research, however.

afaust · ‎11 Dec 2019

Please be aware that the original poster was referring to a community extension for content encryption, NOT the Alfresco Encrypted Content Store feature. So anything that Professional Services have done or what may be documented by Alfresco might not be applicable in this case. Also, as a disclaimer: I am the developer of said community extension. The documentation for this store is in the following Markdown document within the project itself: https://github.com/Acosix/alfresco-simple-content-stores/blob/master/docs/EncryptingStore.md

Now, as to the original question: With the encrypted content store of the alfresco-simple-content-stores addon, it is not necessary and frankly not supported to encrypt existing content with an external program. Doing so will break access to the content. If a piece of content in the content store is not associated with an encryption key in the Alfresco database, it will be read as-is, so if it is unencrypted on disk and no key is associated in the DB, it will be fully readable. But if you mess with that constellation, e.g. encrypt it on disk without Alfresco having a key associated in the DB, it will be read (and e.g. downloaded) as the encrypted, garbled content.

There currently is no feature to encrypt existing content in-place after the extension has been added / enabled. Depending on how other content stores or content store facades have been configured, various means may exist to encrypt the content. The simplest and potentially cleanes may be to use a property-based routing store facade in front of the encrypting content store (and have a secondary, unencrypted content store as the default with the existing content), and then simply set the configured selector property on the nodes you wish to have encrypted. By setting the property, alfresco-simple-content-stores will copy the existing content from the default content store into the encrypted content store, transparently encrypting it in the process. The old content will be marked as orphaned and cleaned up by Alfresco automatically after the configured orphan time has passed. Important in this setup is that the default and encrypted content stores have configured, unique "protocols", so that the content URLs in Alfresco are unique - this is required to ensure orphan handling works correctly. The selector property content store facade is documented in https://github.com/Acosix/alfresco-simple-content-stores/blob/master/docs/SelectorPropertyStore.md