Rotating encryption keys in Talend Studio

Rotating encryption keys in Talend Studio - 7.3

Talend Big Data Installation Guide for Mac

Version

7.3

Language

English (United States)

EnrichDitaval

Big Data for Mac

Product

Talend Big Data

Module

Talend Activity Monitoring Console

Talend Administration Center

Talend Artifact Repository

Talend CommandLine

Talend Data Preparation

Talend Data Stewardship

Talend Identity and Access Management

Talend Installer

Talend JobServer

Talend Log Server

Talend Runtime

Talend Studio

Content

Installation and Upgrade

Two encryption keys are now used by Talend Studio, Talend Administration Center and Talend components to encrypt and decrypt passwords with the AES GCM 256 algorithm.

system.encryption.key: for encrypting and decrypting nexus passwords and the passwords in the connection_user.properties file and the <jobname>_<jobversion>.item Job properties files. All Studio users working on the same project must have the same system encryption key.
routine.encryption.key: for encrypting and decrypting passwords when building and running Jobs.

Warning: We strongly recommend you rotate the key on one Studio, deploy the new key on Talend Administration Center and Talend JobServer if needed, and then distribute the new key to other Studios.

The default values of these two keys system.encryption.key.v1 and routine.encryption.key.v1 are stored in the encryption key configuration file /configuration/studio.keys, which is created under the installation directory of your Talend Studio after you run the Talend Studio executable file Talend-Studio-macosx-cocoa.app for the first time. Below is an example of the newly created studio.keys file.

system.encryption.key.v1=ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\=
routine.encryption.key.v1=YBoRMn8gwD1Kt3CcowOiGeoxRbC2eNNVm7Id6vA3hrk\=

If the default system encryption key is not used to encrypt and decrypt any password, you can modify its value by removing its default value and restarting Talend Studio, ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\= in above example.

The default routine encryption key value cannot be modified. If you have already logged on to a project, Talend allows you to rotate an encryption key by adding a new version of the key in the encryption key configuration file.

Note that the new version of the system encryption key will take effect for a Job only after you modify and save the Job.

About this task

The following procedure shows you how to rotate an encryption key.

Procedure

Open the key configuration file /configuration/studio.keys under the installation directory of your Talend Studio.
Add a new version of the encryption key with an empty value by adding the following line:
- For the system encryption key:
```
system.encryption.key.v<version_number>=
```
- For the routine encryption key:
```
routine.encryption.key.v<version_number>=
```
where <version_number> is a simple integer which represents the version of the new encryption key and should be higher than any existing version number, for example,
```
system.encryption.key.v2=
routine.encryption.key.v2=
```
Warning: Any previous version of the encryption key must not be deleted if it has already been used to encrypt a password.
Save the key configuration file and restart your Talend Studio.
The new version of the encryption key value will be generated and saved in the key configuration file.
If you are rotating the routine encryption key and your Jobs are executed on Talend JobServer, copy the key configuration file for Talend Studio to a directory on the server where Talend JobServer is installed and set the JVM parameter -Dencryption.keys.file on Talend JobServer.
For more information, see Set a JVM property for all the Jobs executed by a JobServer on Windows / Linux.
If you are rotating the system encryption key while working on a remote project, set the same encryption key for Talend Administration Center.
1. Copy the key configuration file for Talend Studio to a directory on the server where Talend Administration Center is installed, for example, D:/StudioKeys.
2. Open the file <TomcatPath>/bin/catalina.sh under the installation directory of your Talend Administration Center.
3. Add the following line at the beginning of the file:
```
JAVA_OPTS="-Dencryption.keys.file=/d/StudioKeys/studio.keys"
```
If you are rotating the routine encryption key and your Jobs are executed from Job Conductor in Talend Administration Center, copy the key configuration file for Talend Studio to a directory on the server where Talend Administration Center is installed and set the JVM parameter -Dencryption.keys.file for the corresponding task in Talend Administration Center.
For more information about how to set JVM parameters for a task in Talend Administration Center, see Setting JVM parameters for specific tasks.
Restart your Talend Administration Center for any reconfiguration on it.