Skip to main content Skip to complementary content

Rotating encryption keys in Talend Studio

Two encryption keys are now used by Talend Studio and Talend components to encrypt and decrypt passwords with the AES GCM 256 algorithm.

  • system.encryption.key: for encrypting and decrypting nexus passwords and the passwords in the file and the <jobname>_<jobversion>.item Job properties files. All Talend Studio users working on the same project must have the same system encryption key.
  • routine.encryption.key: for encrypting and decrypting passwords when building and running Jobs.
Information noteWarning: Talend strongly recommends you rotate the key on one Talend Studio, deploy the new key on the Remote Engine if needed, and then distribute the new key to other Talend Studios.

The default values of these two keys system.encryption.key.v1 and routine.encryption.key.v1 are stored in the encryption key configuration file \configuration\studio.keys , which is created under the installation directory of your Talend Studio after you run the Talend Studio executable file Talend-Studio-win-x86_64.exe for the first time. Below is an example of the newly created studio.keys file.


If the default system encryption key is not used to encrypt and decrypt any password, you can modify its value by removing its default value and restarting Talend Studio, ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\= in above example.

The default routine encryption key value cannot be modified. If you have already logged on to a project, Talend allows you to rotate an encryption key by adding a new version of the key in the encryption key configuration file.

The new version of the system encryption key takes effect for a Job only after you modify and save the Job.

If you need to rotate encryption keys when using Continuous Integration, you can use the -Dstudio.encryption.keys.file parameter to specify the path to the encryption key configuration file. For more information, see Building and Deploying.

About this task

The following procedure shows you how to rotate an encryption key.


  1. Open the key configuration file \configuration\studio.keys under the installation directory of your Talend Studio.
  2. Add a new version of the encryption key with an empty value by adding the following line:
    • For the system encryption key:
    • For the routine encryption key:

    where <version_number> is a simple integer which represents the version of the new encryption key and should be higher than any existing version number, for example,

    Information noteWarning: Any previous version of the encryption key must not be deleted if it has already been used to encrypt a password.
  3. Save the key configuration file and restart your Talend Studio.
    The new version of the encryption key value will be generated and saved in the key configuration file.
  4. If the Job is executed on a Remote Engine, copy the key configuration file onto the Remote Engine server and add the following JVM argument for the corresponding Job task in a Job run profile for the Remote Engine in Talend Management Console:

    where <studio_key_path> is the absolute path to the Talend Studio encryption key configuration file on the Remote Engine, for example, D:\keys\studio.keys .

    For more information about how to define a Job run profile for a Remote Engine and add the JVM arguments in the run profile in Talend Management Console, see Configuring Job run profiles.

    Later, before executing the Job task on the Remote Engine, you need to edit the execution settings of the task by selecting the Job run profile where the JVM argument has been configured. For more information, see Accessing and editing Job tasks.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!