For additional system protection, it is recommended to encrypt the configuration files after final edits.
Pam components protection
The distribution kit includes the Configuration protector utility that located in the \MISC\Core.IdP.Encryptor\ folder.
The utility can encrypt the configuration files of the Core, IdP, ProxyApp and SSHProxy components.
Run the following commands to encrypt the corresponding configuration files:
Core component:
Pam.Tools.Configuration.Protector protect --component Core --file C:\inetpub\wwwroot\pam\core\appsettings.json
IDP component
Pam.Tools.Configuration.Protector protect --component Idp --file C:\inetpub\wwwroot\pam\idp\appsettings.json
Log Server component
Pam.Tools.Configuration.Protector protect --component LogServer --file C:\inetpub\wwwroot\ls\targetConfigs\sampleDb.config
ProxyApp component
Pam.Tools.Configuration.Protector protect --component ProxyApp --file "C:\Program Files\Indeed Identity\Indeed PAM\Gateway\ProxyApp\appsettings.json"
SSHProxy component
Pam.Tools.Configuration.Protector protect --component SshProxy --file "C:\Program Files\Indeed Identity\Indeed PAM\SSH Proxy\appsettings.json"
To decrypt the configuration, run the command:
Pam.Tools.Configuration.Protector unprotect --file "c:\path\to\configuration\file"
Encryption mechanism details
Encryption is performed using the AES-256 algorithm by a keyset which is generated using the Data Protection API. Keys are stored in %ProgramData%\Indeed Identity\Indeed PAM\Keys folder.
Keys are encrypted using the Windows Data Protection API with binding to a computer. So, any user within a computer can encrypt or decrypt keys. If the Data Protection API encryption keys are not synchronized between the load balancer instances, then the configuration must be re-encrypted, since the instances will have different keys.
