SHA‐512 as Hashing Algorithm
Rollbase has upgraded its password hashing mechanism to SHA‐512. Each hashing process combines plain‐text password with random salt generated using cryptographically secure pseudo‐random number generator (CSPRNG). Existing passwords will be re‐hashed using SHA‐512 after user login.
Encryption Algorithm Private Key
Rollbase supports encryption for text, phone, and email fields, and contents of file upload fields. All these data are by default encrypted using AES (Advanced Encryption Standard) with 128‐bit key size.
When the system restarts after upgrading to 4.4.4, a private.key
file that contains the secret key unique to your Rollbase instance is generated and saved in your Rollbase config folder on your master machine at <ROLLBASE_HOME>/config/security
: Store a copy of the generated key in a secure place so that it is available for situations such as disaster recovery, or machine changes. This file is created and managed by Rollbase and should not be edited locally.
All fields currently encrypted using default encryption algorithm (AES‐128) will continue to function correctly. They will be decrypted and then re‐encrypted using your preferred algorithm and generated secret key the next time they are edited and saved.
AES‐256 Encryption Algorithm Support
Rollbase now also supports encrypting data using AES with 256‐bit key size. This is a system wide choice and managed through the shared property ‐ ‘EncryptionType
To make use of AES‐256 on a Rollbase Private Cloud:
- Set value of shared property ‘EncryptionType’ from 0 to 1. This is a one‐time setting. Once set to 1, reverting to 0 is not recommended. If no value is specified, ‘EncryptionType’ uses its default value, 0. No additional changes are required if you want to continue using AES‐128.
- Install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 to enable the 256‐bit Key Size used by AES‐256. For download and usage instructions, see here.
Note: If these JCE files are not installed and the property ‘EncryptionType’ is set to 1, encryption attempts will fail with the exception: Illegal Key Size.
Important: Support for unique constraint validation on encrypted fields has been deprecated. Thus, unique checks on encrypted fields will not work. Encrypted fields cannot be audited, marked unique or indexed as part of the search engine. Once set, this option cannot be removed.