I am trying to find documentation about encryption of attributes in DHIS2, specially:
Can encryption be activated/added on an existing attribute that already has data? I am assuming that this would break the application because new values will be encrypted and old values will not. Maybe I need to manually encrypt values in the database to avoid this issue; and if that the case, what’s the Postgres function and algorithm I should use?
The encryption password in dhis2.conf is saved in plain text, can it be encrypted as well? any recommendations/best practices to protect this password?
Thank you in advance for your comments and suggestions.
Thanks for your post and interesting questions! Hopefully someone from @dhis2-security will get back to your questions.
Selecting which attributes are to be confidential is only possible after encryption is setup in the server. After setting up the encryption, it will be possible to encrypt both new and old attributes. here’s an interesting Note on encryption.
The dhis2.conf file shouldn’t be easily accessible and probably protecting it is equal to protecting the server environment; probably following the security considerations is safe enough: Security Considerations - DHIS2 Documentation
The current implementation of the encryption feature doesn’t assume changing this setting for existing data. We know it is not ideal and are discussing with the core team how to make this feature better. There is no ETA on when it will be implemented, but I will share the update once we are ready.
We assume that in most cases a person who has access to the configuration file with database credentials (and encryption key) can likely access the database as well. So encrypting the values in configuration file will have a limited effect. Theoretically, it can be achieved by using Hashicorp Vault (https://www.vaultproject.io) with storing passwords in environment variables, but I’m not sure if we support such a configuration on the DHIS2 app/server level.