Rotating encryption keys in Talend Studio - 7.3

Talend Data Management Platform Installation Guide for Linux
EnrichVersion
7.3
EnrichProdName
Talend Data Management Platform
EnrichPlatform
Talend Activity Monitoring Console
Talend Administration Center
Talend Artifact Repository
Talend CommandLine
Talend Data Preparation
Talend Data Stewardship
Talend DQ Portal
Talend Identity and Access Management
Talend Installer
Talend JobServer
Talend Log Server
Talend Repository Manager
Talend Runtime
Talend SAP RFC Server
Talend Studio
task
Installation and Upgrade

Two encryption keys are now used by Talend Studio, Talend Administration Center and Talend components to encrypt passwords.

  • system.encryption.key: for encrypting properties and nexus passwords.
  • routine.encryption.key: for encrypting passwords of generated Jobs.

The default values of these two keys system.encryption.key.v1 and routine.encryption.key.v1 are stored in the encryption key configuration file /configuration/studio.keys, which is created under the installation directory of your Talend Studio after you run the Talend Studio executable file Talend-Studio-linux-gtk-x86_64 for the first time. Below is an example of the newly created studio.keys file.

system.encryption.key.v1=ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\=
routine.encryption.key.v1=YBoRMn8gwD1Kt3CcowOiGeoxRbC2eNNVm7Id6vA3hrk\=

Talend allows you to modify only once the default system encryption key value before you log on to a project by removing its default value and restarting Talend Studio, ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\= in above example. The default routine encryption key value cannot be modified. If you have already logged on to a project, Talend allows you to rotate an encryption key by adding a new version of the key in the encryption key configuration file.

Note:
  • The new version of the system encryption key will take effect for a Job only after you modify and save the Job.
  • Since a Job runs in a single JVM, after rotating the routine encryption key for Talend Studio, you also need to update the JVM for all Jobs.

About this task

The following procedure shows you how to rotate an encryption key.

Procedure

  1. Open the key configuration file /configuration/studio.keys under the installation directory of your Talend Studio.
  2. Add a new version of the encryption key with an empty value by adding the following line:
    • For the system encryption key:
      system.encryption.key.v<version_number>=
    • For the routine encryption key:
      routine.encryption.key.v<version_number>=

    where <version_number> is a simple integer which represents the version of the new encryption key and should be higher than any existing version number, for example,

    system.encryption.key.v2=
routine.encryption.key.v2=
    Warning: Any previous version of the encryption key must not be deleted if it has already been used to encrypt a password.
  3. Save the key configuration file and restart your Talend Studio.
    The new version of the encryption key value will be generated and saved in the key configuration file.
  4. If you are rotating the routine encryption key, update the JVM argument settings for all Jobs in Talend Studio.
    1. From the menu bar, click Window > Preferences to open the Preferences dialog box.
    2. Expand the Talend node and click Run/Debug.
    3. Click New... in the Job Run VM arguments area.
    4. In the pop-up Set the VM Argument dialog box, set the following argument: 
      -Dencryption.keys.file=<studio_key_path>

      where <studio_key_path> is the absolute path to the Talend Studio encryption key configuration file, for example, d/Talend-Studio/configuration/studio.keys.

      Note: If the Jobs are executed on Talend JobServer, the key configuration file must be copied onto the server and the path on the server must have the same directory structure as on the client machine where your Talend Studio is installed.
    5. Click OK to close the Set the VM Argument dialog box.
    6. Click Apply and Close to save your changes and close the Preferences dialog box.
  5. If you are using a remote project, set the same encryption key for Talend Administration Center.
    1. Copy the key configuration file studio.keys to a directory on the server where Talend Administration Center is installed, for example, D:/StudioKeys.
    2. Open the file <TomcatPath>/bin/catalina.sh under the installation directory of your Talend Administration Center.
    3. Add the following line at the beginning of the file: 
      JAVA_OPTS="-Dencryption.keys.file=/d/StudioKeys/studio.keys"
  6. If the Job is executed from Job Conductor in Talend Administration Center, set JVM parameters for the corresponding task in Talend Administration Center.
    For more information about how to set JVM parameters in Talend Administration Center, see https://help.talend.com/access/sources/content/topic?pageid=set_jvm_parameters_for_specific_tasks_in_tac&EnrichVersion=7.3&afs:lang=en.
    Note: If the Jobs are executed on Talend JobServer, the key configuration file must be copied onto Talend JobServer and the path on Talend JobServer must have the same directory structure as specified in the JVM parameter in Talend Administration Center.
  7. Restart your Talend Administration Center for any reconfiguration on it.