Two encryption keys are now used by Talend Studio and Talend components to encrypt and decrypt passwords with the AES GCM 256 algorithm.
system.encryption.key: for encrypting and decrypting nexus passwords and the passwords in the connection_user.properties file and the <jobname>_<jobversion>.item Job properties files. All Studio users working on the same project must have the same system encryption key.
routine.encryption.key: for encrypting and decrypting passwords when building and running Jobs.
Note that rotating encryption keys is not supported yet for Routes and Data services.
The default values of these two keys system.encryption.key.v1 and routine.encryption.key.v1 are stored in the encryption key configuration file /configuration/studio.keys, which is created under the installation directory of your Talend Studio after you run the Talend Studio executable file Talend-Studio-macosx-cocoa.app for the first time. Below is an example of the newly created studio.keys file.
If the default system encryption key is not used to encrypt and decrypt any password, you
can modify its value by removing its default value and restarting Talend Studio,
ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\= in above example.
The default routine encryption key value cannot be modified. If you have already logged on to a project, Talend allows you to rotate an encryption key by adding a new version of the key in the encryption key configuration file.
Note that the new version of the system encryption key will take effect for a Job only after you modify and save the Job.
About this task
- Open the key configuration file /configuration/studio.keys under the installation directory of your Talend Studio.
Add a new version of the encryption key with an empty value by adding the following
- For the system encryption
- For the routine encryption
<version_number>is a simple integer which represents the version of the new encryption key and should be higher than any existing version number, for example,
system.encryption.key.v2= routine.encryption.key.v2=Warning: Any previous version of the encryption key must not be deleted if it has already been used to encrypt a password.
- For the system encryption key:
Save the key configuration file and restart your Talend Studio.
The new version of the encryption key value will be generated and saved in the key configuration file.
If the Job is executed on a Remote Engine, copy the key configuration file onto the
Remote Engine server and add the following JVM argument for the corresponding Job
task in a Job run profile for the Remote Engine in Talend Cloud Management Console:
<studio_key_path>is the absolute path to the Talend Studio encryption key configuration file on the Remote Engine, for example,
For more information about how to define a Job run profile for a Remote Engine and add the JVM arguments in the run profile in Talend Cloud Management Console, see Configuring Job run profiles.
Later, before executing the Job task on the Remote Engine, you need to edit the execution settings of the task by selecting the Job run profile where the JVM argument has been configured. For more information, see Accessing and editing Job tasks.