Cloudera Docs

Encryption of a single property

Learn how you can encrypt a single sensitive property stored in the efm.properties file.

To encrypt a property, you should use the Jasypt CLI which you can download from the Jasypt CLI Tools documentation

Once you download the CLI, a single property can be encrypted by using the following command:

./encrypt.sh input=propertyValueToEncrypt password=secretKey \
algorithm=PBEWITHHMACSHA512ANDAES_256 \
ivGeneratorClassName=org.jasypt.iv.RandomIvGenerator
Please note that you need to specify the above algorithm and the ivGeneratorClassName values, because these are the default ones in Edge Flow Manager. If you do not specify them, the Jasypt CLI uses its defaults which is incompatible with Edge Flow Manager. If you still want to use them or if you want to choose a different algorithm, you need to specify them for Edge Flow Manager with these properties in the efm.properties file:
efm.property.encryptor.algorithm=
efm.property.encryptor.ivGeneratorClassName=
To list available algorithms you can run the following command: 
./listAlgorithms.sh

This command does not list any argument from non-default JCE providers like Bouncy Castle unless you have registered such providers at the JVM. For more information, see the Jasypt Project documentation.

You can use this approach to encrypt multiple properties, but you should use the same password for each as you can provide only one password when starting up Edge Flow Manager.

With some Java 8 versions, the Jasypt CLI throws java.lang.ExceptionInInitializerError error. To fix this issue you need to update the icu4j library used by Jasypt. This means you need to update the <jasypt-root>/lib/icu4j-3.4.4.jar file (if you are using Jasypt 1.9.3) with a newer version that you can download from here.

Once you acquire the encrypted value, you need to wrap it in ENC(...) to let Edge Flow Manager know that it should treat the property as an encrypted value. For example,
efm.server.ssl.keyStorePassword=ENC(e2cpfr5CA+xyS8uU2BNXltKoR/hCBJeJlBxMAO2lNgt1snFOGza6uUCJCZGGNl5Q)