8.7. Encryption configuration

DHIS2 allows for encryption of data. This however requires some extra setup.

8.7.1. Java Cryptography Extension

DHIS2 uses an encryption algorithm classified as strong and therefore requires the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files to be installed. These files can be installed through these steps:

  1. Download the JCE Unlimited Strength Jurisdiction Policy Files for your java version of Java from the Oracle Web site. Scroll down to the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" section. It is important that the version of the files match the version of Java on your server.

    http://www.oracle.com/technetwork/java/javase/downloads/index.html

  2. Extract the downloaded ZIP archive. It contains two JAR files: local_policy.jar and US_export_policy.jar.

  3. Locate the JDK directory of your Java installation. From there, navigate into the jre/security directory. On Ubuntu it is often found at /usr/lib/jvm/java-8-oracle/jre/lib/security.

  4. (Optional) Back up your existing local_policy.jar and US_export_policy.jar in case you want to revert to them later.

  5. Copy the local_policy.jar and US_export_policy.jar files into the security folder. You should now have the following files which completes the installation. Remember to restart your servlet container for it to take effect.

    /usr/lib/jvm/java-8-oracle/jre/lib/security/local_policy.jar
    /usr/lib/jvm/java-8-oracle/jre/lib/security/US_export_policy.jar

8.7.2. Password configuration

To provide security to the encryption alogorithm you will have to set a password in the dhis.conf configuration file through the encryption.password property:

encryption.password = xxxx

The password must be at least 24 characters long and it is recommended to use a mix of numbers and lower- and uppercase letters. The encryption password must be kept secret.

8.7.3. Considerations for encryption

A word of caution: It is not possible to recover encrypted data if the encryption password is lost or changed. Conversely, the encryption provides no security if the password is compromised. Hence, great consideration should be given to storing the password in a safe place.