---
title: Property secret stores
description: IDM servers can read keys and trusted certificates from properties that contain keys in Privacy-Enhanced Mail (PEM) format.
component: pingidm
version: 8.1
page_id: pingidm:security-guide:secret-stores-property
canonical_url: https://docs.pingidentity.com/pingidm/8.1/security-guide/secret-stores-property.html
keywords: ["Security", "Certificates", "Keystores", "Keytool", "Truststores", "Privacy-Enhanced Mail (PEM)", "Secret Store", "JSON"]
---

# Property secret stores

IDM servers can read keys and trusted certificates from properties that contain keys in Privacy-Enhanced Mail (PEM) format.

The following example configures a property-based secret store, and adds an RSA PEM secret whose purpose is to encrypt and decrypt managed user passwords:

1. Add a `PropertyBasedStore` secret store definition to your `conf/secrets.json` file:

   ```json
   {
       "name": "pemStore",
       "class": "org.forgerock.openidm.secrets.config.PropertyBasedStore",
       "config": {
           "format": "PEM",
           "algorithm": "RSA",
           "mappings": [
               {
                   "secretId": "idm.pem.purpose",
                   "types": [
                       "ENCRYPT",
                       "DECRYPT"
                   ]
               }
           ]
       }
   }
   ```

2. Create an RSA PEM key:

   ```
   openssl genrsa -out private-key.pem 3072
   ```

3. Display the private key. For example:

   ```none
   more private-key.pem
   -----BEGIN RSA PRIVATE KEY-----
   MIIG4w...lrDgao
   -----END RSA PRIVATE KEY-----
   ```

4. Use a text editor to convert your certificate to a single line, replacing line breaks with newline characters (`\n`). For example, on UNIX systems:

   ```none
   awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' private-key.pem
   -----BEGIN RSA PRIVATE KEY-----\nMIIG4w...lrDgao\n-----END RSA PRIVATE KEY-----\n%
   ```

5. Copy the single-line private key and paste it into your `resolver/boot.properties` file, as a value of the `secretId` that you specified in Step 1. For example:

   ```properties
   idm.pem.purpose=-----BEGIN RSA PRIVATE KEY-----\nMIIG4w...lrDgao\n-----END RSA PRIVATE KEY-----\n%
   ```

6. Modify the encryption purpose for the managed user `password` in your managed object configuration *(tooltip: You can edit the managed object configuration over REST at the config/managed endpoint, or directly in the conf/managed.json file.)* to use the `PropertyBaseStore` secret store that you created in Step 1:

   ```json
   "password" : {
       "title" : "Password",
       "description" : "Password",
       "type" : "string",
       "viewable" : false,
       "searchable" : false,
       "userEditable" : true,
       "encryption" : {
           "purpose" : "idm.pem.purpose",
           "cipher" : "RSA/ECB/OAEPWithSHA-256AndMGF1Padding"
       }
       ...
   }
   ```

   IDM now encrypts and decrypts passwords with the RSA PEM key.