Encrypted Configuration Properties

To protect sensitive data such as password, you can provide configuration properties for the Altus Director server and client in an encrypted form. This topic describes how to use encrypted configuration properties.

Creating an Encrypted Configuration Property

Use the encryptPropertyValues script included with the Altus Director server to generate encrypted property values. As arguments to the script, pass an encryption password and one or more values to encrypt. Encryption parameters are taken from the server's current configuration.
$ ./encryptPropertyValues master-password value1 value2 value3
Encrypting 'value1' with algorithm PBEWITHSHA1ANDDESEDE ...
-----
1LC5sbvMlv0I0e88HmCmvA==
Encrypting 'value2' with algorithm PBEWITHSHA1ANDDESEDE ...
zWgV8NvRITwJVZvqsuvYSw==
-----
Encrypting 'value3' with algorithm PBEWITHSHA1ANDDESEDE ...
xjUEn2cHVzozR+0JhO+/bg==
-----
To use an encrypted value, provide it as the value for a configuration property through any supported mechanism, such as in the application.properties file. The value must be wrapped in parentheses and preceded by the string ENC to indicate that it is an encrypted value.
property1: ENC(1LC5sbvMlv0I0e88HmCmvA==)
property2: ENC(zWgV8NvRITwJVZvqsuvYSw==)
property3: ENC(xjUEn2cHVzozR+0JhO+/bg==)

Using Encrypted Configuration Properties

When encrypted configuration properties are in place, Altus Director must be started with the password originally used to encrypt them. This lets Altus Director decrypt the values.

The password is provided to Altus Director through the jasypt.encryptor.password configuration property. While this property could itself be provided in application.properties, that would defeat the protection provided by encryption. Better alternatives:

  • Pass the value on the command line when starting Director. This option, however, reveals the password in lists of active commands from OS utilities like ps.
    $ ./bin/start --jasypt.encryptor.password=master-password
  • Set the JASYPT_ENCRYPTOR_PASSWORD environment variable.
    $ export JASYPT_ENCRYPTOR_PASSWORD=master-password
    $ ./bin/start
  • Set the jasypt.encryptor.password Java system property. Doing this requires editing of the cloudera-director-server and cloudera-director scripts.

For maximum protection, store the password in a key management service, such as those supplied by cloud providers, and retrieve the password whenever you start Altus Director.

Configuring Encryption of Configuration Properties

Several Altus Director configuration properties control the type of encryption used, such as the algorithm and number of rounds. Set these properties in the Altus Director application.properties file as desired, and then use the encryptPropertyValues script to encrypt new property values using them. Caveats:

  • When you change the encryption configuration, regenerate all encrypted configuration values.
  • Some encryption algorithms and parameters require use of unlimited strength Java security policy files to function. The default choices used by Altus Director do not.
  • Some encryption algorithms require installation of a new security provider, such as Bouncy Castle.
  • Altus Director might not be able to decrypt values encrypted with an algorithm that uses an HMAC because the ciphertext currently does not include the necessary initialization vector (IV).
Important configuration properties for configuration property encryption are in the following table.
Configuration Property Default Meaning
jasypt.encryptor.algorithm PBEWITHSHA1ANDDESEDE encryption algorithm
jasypt.encryptor.keyObtentionIterations 10000 number of rounds
jasypt.encryptor.providerName SunJCE name of security provider supporting encryption algorithm
jasypt.encryptor.saltGeneratorClassname org.jasypt.salt.RandomSaltGenerator fully-qualified name of Java class that generates salt for encryption
jasypt.encryptor.stringOutputType base64 encoding for ciphertext