github Download
Keystore versions

Keystore versions #

We keep improving key storage and management in Acra.

The latest keystore #

Starting from version 0.90.0, all Acra components support a new storage format: keystore version 2.

New features include:

  • Stronger key integrity validation, preventing even more tampering attempts.
  • Improved partitioning of the keys, simplifying configuration correctness checks.
  • Tracking additional key metadata, such as key validity periods and active states.
  • Compliance with best practices and recommendations, such as NIST SP 800-57.
  • Support for more external KMS types (only in Acra Enterprise Edition).

Keystore version 1 is the current version, used by new Acra instances by default.

You can opt in the new version 2 when generating keys by using the --keystore=v2 option.

Acra components can automatically tell which keystore version is currently in use, so special attention is necessary only during the initial key generation and exchange.

Of course, it is also possible to convert existing key folders into the new format. See how to migrate existing Acra deployments from keystore v1 to v2.

Keystore version affects mostly the storage format and available key management options. The content of the keys – key material – stays the same. This means that different Acra components can run with different keystore versions. For example, AcraServer may use improved version 2 while AcraConnector is still using version 1.

Keystore version 2 #

File-based keystore version 2 uses a hierarchical file structure. Purposes of the keys are encoded in their file paths. Private keys are stored encrypted, public keys are stored in plain, both together inside a *.keyring file along with key metadata. Rotated keys are stored in the same *.keyring file too.

The distinguishing feature of keystore version 2 is the version file with the following string it in: Acra Keystore v2.

For example, here is how a keystore version 2 might look like:

├── client
│   └── Alice
│       ├── storage.keyring             storage keypair
│       └── transport
│           ├── connector.keyring       AcraConnector keypair
│           └── server.keyring          AcraServer keypair
├── version
└── zone
    └── DDDDDDDDIgRssUkVnxCyGcDv
        └── storage.keyring             zone encryption keypair

Keystore version 1 #

File-based keystore version 1 uses a mostly flat file structure. Purposes of the keys are encoded in their file names. Private keys are stored encrypted. Public keys are stored in plain, they have a *.pub file name extension. Rotated keys are stored in directories with an *.old extension.

For example, here is how a keystore version 1 might look like:

├── Alice                               AcraConnector keypair
├── Alice.pub
├── Alice_server                        AcraServer keypair, rotated twice
├── Alice_server.old
│   ├── 2020-02-03T06:23:28.564094
│   └── 2020-08-04T08:30:31.663145
├── Alice_server.pub
├── Alice_server.pub.old
│   ├── 2020-02-03T06:23:28.564700
│   └── 2020-08-04T08:30:31.663733
├── Alice_storage                       storage keypair, rotated once
├── Alice_storage.old
│   └── 2020-05-21T16:01:58.656663
├── Alice_storage.pub
├── Alice_storage.pub.old
│   └── 2020-05-21T16:01:58.657333
├── DDDDDDDDIgRssUkVnxCyGcDv_zone       zone encryption keypair
└── DDDDDDDDIgRssUkVnxCyGcDv_zone.pub