Storage passphrase overview

The storage passphrase (also known as key encryption passphrase) is used to generate the key encryption key (KEK) for a storage bucket.

By default, storage encryption is disabled. If storage encryption is enabled, when a variant is created, a KEK is also generated with a combination of the key encryption passphrase and a generated salt. The KEK is used to encrypt the AES keys (blob key). The AES keys are used to encrypt data at rest. The AES keys are encrypted before being stored on the disk.

In Global Mailbox, you can run a command line script to set the passphrase. Sterling B2B Integrator has a single configuration value for the Passphrase Based Encryption (PBE) passphrase. Therefore, the storagePassphrase script must be run before you create any variants. The Sterling B2B Integrator passphrase must also be set to the same passphrase. The passphrase is persisted in Cassandra, and replicated across all nodes.

The KEK generation passphrase is stored as a property on the pre-defined Sterling B2B Integrator Mailbox Engine application record (com.ibm.mailbox.storage.kek.passphrase). It is stored encrypted, using the same encryption mechanism that is used to encrypt external passwords.

Restriction: Due to a limitation in how the PBE passphrase can be configured and used in Sterling B2B Integrator, run the storagePassphrase script before creating any variants, set the same passphrase in Sterling B2B Integrator, and do not update the storage passphrase. If you update the passphrase, then any variants that were encrypted with the old passphrase become unusable, when Sterling B2B Integrator tries to access the variants.