Skip to main content

Configure cryptographic elliptic curves

By default, the Tessera enclave uses the jnacl implementation of the NaCl library to encrypt and decrypt private payloads.

The NaCl primitives provide good security and speed and this is sufficient in most circumstances.

You can configure alternative curves and symmetric ciphers by specifying encryptor in the Tessera configuration file.

Configure an alternative cryptographic elliptic curve

In the encryptor configuration item, you can provide a compatible JCA provider (for example, SunEC provider).

note

The same enclave encryption process is used regardless of whether the NaCl or JCA encryptor is configured.

JCA encryptor configuration
"encryptor":{
"type":"EC",
"properties":{
"symmetricCipher":"AES/GCM/NoPadding",
"ellipticCurve":"secp256r1",
"nonceLength":"24",
"sharedKeyLength":"32"
}
}

If type is set to CUSTOM, support is provided for an external encryptor implementation to integrate with Tessera. The kalium support module is configured as a custom encryptor. The pilot third party integration is Unbound Tech's Unbound Key Control (UKC) encryptor (jar available at com.github.unbound-tech:encryption-ub:<version>).

*[JCA]: Java Cryptography Architecture