Storage passphrase overview
The storage passphrase (also known as key encryption passphrase) is used to generate the key encryption key (KEK) for a storage bucket.
By default, storage encryption is disabled. If storage encryption is enabled, when a variant is created, a KEK is also generated with a combination of the key encryption passphrase and a generated salt. The KEK is used to encrypt the AES keys (blob key). The AES keys are used to encrypt data at rest. The AES keys are encrypted before being stored on the disk.
In Global Mailbox, you can run a command line
script to set the passphrase. Sterling B2B Integrator
has a single configuration value for the Passphrase Based Encryption (PBE) passphrase. Therefore,
storagePassphrase script must be run before you create any variants. The Sterling B2B Integrator passphrase must also be set to the
same passphrase. The passphrase is persisted in Cassandra, and replicated across all nodes.
The KEK generation passphrase is stored as a property on the pre-defined Sterling B2B Integrator Mailbox Engine application record
com.ibm.mailbox.storage.kek.passphrase). It is stored encrypted, using the same
encryption mechanism that is used to encrypt external passwords.
storagePassphrasescript before creating any variants, set the same passphrase in Sterling B2B Integrator, and do not update the storage passphrase. If you update the passphrase, then any variants that were encrypted with the old passphrase become unusable, when Sterling B2B Integrator tries to access the variants.