msencrypt

Purpose

Used to create an encryption key or to encrypt portions of connection strings for use in Mapfiles (added in v4.10). Typically you might want to encrypt portions of the CONNECTION parameter for a database connection. The following CONNECTIONTYPEs are supported for using this encryption method:

• OGR

• Oracle Spatial

• PostGIS

• Microsoft SQL Server

Note also passwords for accessing secured WFS services can also be encrypted.

Syntax

To create a new encryption key:

msencrypt -keygen [key_filename]

To encrypt a string:

msencrypt -key [key_filename] [string_to_encrypt]

Use in Mapfile

The location of the encryption key can be specified by two mechanisms, either by setting the variable MS_ENCRYPTION_KEY in the ENV section of the MapServer Configuration, or using a CONFIG directive in the MAP object of your Mapfile. Prior to MapServer version 8.0 MS_ENCRYPTION_KEY could be set as an environment variable.

For example you can add the following to your Mapfile:

CONFIG MS_ENCRYPTION_KEY "/path/to/mykey.txt"

Note

As of MapServer 8.4 this can be an absolute path, or a path relative to the Mapfile. When setting in the Configuration the path must be absolute.

Use the { and } characters as delimiters for encrypted strings inside the database CONNECTION in your Mapfile. For example:

CONNECTIONTYPE ORACLESPATIAL
CONNECTION "user/{MIIBugIBAAKBgQCP0Yj+Seh8==}@service"

Example

LAYER
  NAME "provinces"
  TYPE POLYGON
  CONNECTIONTYPE POSTGIS
  CONNECTION "host=127.0.0.1 dbname=gmap user=postgres password=iluvyou18 port=5432"
  DATA "the_geom FROM province using SRID=3978"
  STATUS DEFAULT
  CLASS
    NAME "Countries"
    STYLE
        COLOR 255 0 0
    END
  END
END

Here are the steps to encrypt the password in the above connection:

1. Generate an encryption key (note that this key should not be stored anywhere within your web server’s accessible directories):

msencrypt -keygen "E:\temp\mykey.txt"

And this generated key file might contain something like:

2137FEFDB5611448738D9FBB1DC59055

2. Encrypt the connection’s password using that generated key:

msencrypt -key "E:\temp\mykey.txt" "iluvyou18"

Which returns the password encrypted, at the commandline (you’ll use it in a second):

3656026A23DBAFC04C402EDFAB7CE714

3. Edit the Mapfile to make sure the ‘mykey.txt’ can be found, using the “MS_ENCRYPTION_KEY” environment variable. The CONFIG parameter inside the MAP object can be used to set an environment variable inside a Mapfile:

MAP
    ...
    CONFIG "MS_ENCRYPTION_KEY" "E:/temp/mykey.txt"
    ...
END #mapfile

4. Modify the layer’s CONNECTION to use the generated password key, making sure to use the “{}” brackets around the key:

CONNECTION "host=127.0.0.1 dbname=gmap user=postgres
            password={3656026A23DBAFC04C402EDFAB7CE714} port=5432"

5. Done! Give your new encrypted Mapfile a try with the map2img utility!