Encrypting properties stored in the IAM configuration file - 7.3

Talend Installation Guide

Operating system
Subscription type
Talend Big Data
Talend Big Data Platform
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
Talend Activity Monitoring Console
Talend Administration Center
Talend Artifact Repository
Talend CommandLine
Talend Data Preparation
Talend Data Stewardship
Talend DQ Portal
Talend ESB
Talend Identity and Access Management
Talend Installer
Talend JobServer
Talend LogServer
Talend MDM Server
Talend MDM Web UI
Talend Repository Manager
Talend Runtime
Talend SAP RFC Server
Talend Studio
Installation and Upgrade
Last publication date

You can generate an encryption key to encrypt sensitive information in the Talend Identity and Access Management configuration file.

A default encryption key is delivered with the installation of Talend Identity and Access Management. It is recommended to replace it with your own encryption in the keys.properties file.


  1. Go to the apache-tomcat folder of your Talend Identity and Access Management installation.
  2. Open the conf/keys.properties file. If it does not exist, you need to create it.
  3. Generate your own encryption secret.


    For example, using this OpenSSL command:

    openssl rand -base64 32
  4. In the keys.properties file, added this content:


    aes.key=<generated key>
  5. Save your changes.
    If the Talend Identity and Access Management is already on, restart it so that the configuration takes effect.


On start of Talend Identity and Access Management, this encryption secret is used to encrypt the following properties:
  • tac.password
  • idp.db.password
  • oidc.db.password
  • oidc.dynRegService.initialAccessToken
  • oidc.keystore.password
  • oidc.key.password
  • syncope.password
  • sts.keystore.password
  • sts.key.password
  • all secrets in the clients/*.json files.

If you have started Talend Identity and Access Management before changing the encryption key, your properties have already been encrypted with the default key. In this situation, you must write all the encrypted values again in their original plain text values, because the new encryption key cannot decrypt those properties.