Skip to content

Asymmetric Encryption

Asymmetric encryption uses public and private keys to encrypt and decrypt data. While the public key of the key pair is shared with external parties, the private key is kept secret. When one of the key pairs is used to encrypt a message, the other key can be used to decrypt it. In a keystore, you can store both private and public keys, and in a truststore you can store only public keys.

Info

For more information on how to configure the keystores to asymmetric key encryption, see Keystores.

In WSO2 Identity Server, asymmetric encryption is used by default for the following purposes:

  • Authenticating the communication over Secure Sockets Layer (SSL)/Transport Layer Security (TLS) protocols.
  • Encrypting sensitive data such as plain-text passwords found in both product-level and product feature-level configurations/configuration files using cipher tool.
  • Encrypting SOAP messages using WS-Security.

For other types of encryption, symmetric encryption is used by default.

Note

To switch to asymmetric encryption, add the following configurations to the deployment.toml file located in the <IS_HOME>/repository/conf directory.

The [keystore] property should be added before the [keystore.primary] entry in the deployment.toml file. The other two properties can be added to the end of the file.

[keystore]
userstore_password_encryption = "InternalKeyStore"

[system.parameter]
"org.wso2.CipherTransformation"="RSA/ECB/OAEPwithSHA1andMGF1Padding"

[encryption]
internal_crypto_provider = "org.wso2.carbon.crypto.provider.KeyStoreBasedInternalCryptoProvider"