Rotating encryption keys in Talend Studio - Cloud

Talend Cloud Installation and Upgrade Guide

Operating system
Talend Cloud
Talend Artifact Repository
Talend Data Stewardship
Talend Management Console
Talend Remote Engine
Talend SAP RFC Server
Talend Studio
Installation and Upgrade
Last publication date

Two encryption keys are now used by Talend Studio and Talend components to encrypt and decrypt passwords with the AES GCM 256 algorithm.

  • system.encryption.key: for encrypting and decrypting nexus passwords and the passwords in the file and the <jobname>_<jobversion>.item Job properties files. All Talend Studio users working on the same project must have the same system encryption key.
  • routine.encryption.key: for encrypting and decrypting passwords when building and running Jobs.
Warning: Talend strongly recommends you rotate the key on one Talend Studio, deploy the new key on the Remote Engine if needed, and then distribute the new key to other Talend Studios.

The default values of these two keys system.encryption.key.v1 and routine.encryption.key.v1 are stored in the encryption key configuration file /configuration/studio.keys, which is created under the installation directory of your Talend Studio after you run the Talend Studio executable file for the first time. Below is an example of the newly created studio.keys file.


If the default system encryption key is not used to encrypt and decrypt any password, you can modify its value by removing its default value and restarting Talend Studio, ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\= in above example.

The default routine encryption key value cannot be modified. If you have already logged on to a project, Talend allows you to rotate an encryption key by adding a new version of the key in the encryption key configuration file.

The new version of the system encryption key takes effect for a Job only after you modify and save the Job.

If you need to rotate encryption keys when using Continuous Integration, you can use the -Dstudio.encryption.keys.file parameter to specify the path to the encryption key configuration file. For more information, see Building and Deploying.

About this task

The following procedure shows you how to rotate an encryption key.


  1. Open the key configuration file /configuration/studio.keys under the installation directory of your Talend Studio.
  2. Add a new version of the encryption key with an empty value by adding the following line:
    • For the system encryption key:
    • For the routine encryption key:

    where <version_number> is a simple integer which represents the version of the new encryption key and should be higher than any existing version number, for example,

    Warning: Any previous version of the encryption key must not be deleted if it has already been used to encrypt a password.
  3. Save the key configuration file and restart your Talend Studio.
    The new version of the encryption key value will be generated and saved in the key configuration file.
  4. If the Job is executed on a Remote Engine, copy the key configuration file onto the Remote Engine server and add the following JVM argument for the corresponding Job task in a Job run profile for the Remote Engine in Talend Cloud Management Console:

    where <studio_key_path> is the absolute path to the Talend Studio encryption key configuration file on the Remote Engine, for example, d/keys/studio.keys.

    For more information about how to define a Job run profile for a Remote Engine and add the JVM arguments in the run profile in Talend Cloud Management Console, see Configuring Job run profiles.

    Later, before executing the Job task on the Remote Engine, you need to edit the execution settings of the task by selecting the Job run profile where the JVM argument has been configured. For more information, see Accessing and editing Job tasks.