Encrypted Configuration Properties
To protect sensitive data such as password, you can provide configuration properties for the Altus Director server and client in an encrypted form. This topic describes how to use encrypted configuration properties.
Creating an Encrypted Configuration Property
$ ./encryptPropertyValues master-password value1 value2 value3 Encrypting 'value1' with algorithm PBEWITHSHA1ANDDESEDE ... ----- 1LC5sbvMlv0I0e88HmCmvA== Encrypting 'value2' with algorithm PBEWITHSHA1ANDDESEDE ... zWgV8NvRITwJVZvqsuvYSw== ----- Encrypting 'value3' with algorithm PBEWITHSHA1ANDDESEDE ... xjUEn2cHVzozR+0JhO+/bg== -----
property1: ENC(1LC5sbvMlv0I0e88HmCmvA==) property2: ENC(zWgV8NvRITwJVZvqsuvYSw==) property3: ENC(xjUEn2cHVzozR+0JhO+/bg==)
Using Encrypted Configuration Properties
When encrypted configuration properties are in place, Altus Director must be started with the password originally used to encrypt them. This lets Altus Director decrypt the values.
The password is provided to Altus Director through the jasypt.encryptor.password configuration property. While this property could itself be provided in application.properties, that would defeat the protection provided by encryption. Better alternatives:
-
Pass the value on the command line when starting Director. This option, however, reveals the password in lists of active commands from OS utilities like ps.
$ ./bin/start --jasypt.encryptor.password=master-password
-
Set the JASYPT_ENCRYPTOR_PASSWORD environment variable.
$ export JASYPT_ENCRYPTOR_PASSWORD=master-password $ ./bin/start
-
Set the jasypt.encryptor.password Java system property. Doing this requires editing of the cloudera-director-server and cloudera-director scripts.
For maximum protection, store the password in a key management service, such as those supplied by cloud providers, and retrieve the password whenever you start Altus Director.
Configuring Encryption of Configuration Properties
Several Altus Director configuration properties control the type of encryption used, such as the algorithm and number of rounds. Set these properties in the Altus Director application.properties file as desired, and then use the encryptPropertyValues script to encrypt new property values using them. Caveats:
- When you change the encryption configuration, regenerate all encrypted configuration values.
- Some encryption algorithms and parameters require use of unlimited strength Java security policy files to function. The default choices used by Altus Director do not.
- Some encryption algorithms require installation of a new security provider, such as Bouncy Castle.
- Altus Director might not be able to decrypt values encrypted with an algorithm that uses an HMAC because the ciphertext currently does not include the necessary initialization vector (IV).
| Configuration Property | Default | Meaning |
|---|---|---|
| jasypt.encryptor.algorithm | PBEWITHSHA1ANDDESEDE | encryption algorithm |
| jasypt.encryptor.keyObtentionIterations | 10000 | number of rounds |
| jasypt.encryptor.providerName | SunJCE | name of security provider supporting encryption algorithm |
| jasypt.encryptor.saltGeneratorClassname | org.jasypt.salt.RandomSaltGenerator | fully-qualified name of Java class that generates salt for encryption |
| jasypt.encryptor.stringOutputType | base64 | encoding for ciphertext |