Two encryption keys are now used by Talend Studio, Talend Administration Center and
Talend
components to encrypt and decrypt passwords with the AES GCM 256 algorithm.
system.encryption.key: for encrypting and decrypting nexus passwords
and the passwords in the connection_user.properties file and the
<jobname>_<jobversion>.item Job properties files. All
Studio users working on the same project must have the same system encryption key.routine.encryption.key: for encrypting and decrypting passwords when
building and running Jobs.
Warning: We strongly recommend you rotate the key on one Studio, deploy the new
key on Talend Administration Center and
Talend JobServer
if needed, and then distribute the new key to other Studios.
The default values of these two keys system.encryption.key.v1 and
routine.encryption.key.v1 are stored in the encryption key
configuration file /configuration/studio.keys, which is created under the
installation directory of your Talend Studio after you
run the Talend Studio
executable file Talend-Studio-macosx-cocoa.app for the first time. Below is an example of
the newly created studio.keys file.
system.encryption.key.v1=ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\=
routine.encryption.key.v1=YBoRMn8gwD1Kt3CcowOiGeoxRbC2eNNVm7Id6vA3hrk\=
If the default system encryption key is not used to encrypt and decrypt any password, you
can modify its value by removing its default value and restarting Talend Studio,
ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\= in above example.
The default routine encryption key value cannot be modified. If you have already logged on
to a project, Talend allows
you to rotate an encryption key by adding a new version of the key in the encryption key
configuration file.
Note that the new version of the system encryption key will take effect for a Job only
after you modify and save the Job.
About this task
The following procedure shows you how to rotate an
encryption key.
Procedure
-
Open the key configuration file /configuration/studio.keys under the installation directory of your
Talend Studio.
-
Add a new version of the encryption key with an empty value by adding the following
line:
where <version_number> is a simple integer which represents
the version of the new encryption key and should be higher than any existing
version number, for example,
system.encryption.key.v2=
routine.encryption.key.v2=
Warning: Any previous
version of the encryption key must not be deleted if it has already been used to
encrypt a password.
-
Save the key configuration file and restart your Talend Studio.
The new version of the encryption key value will be generated and saved in the key
configuration file.
-
If you are rotating the routine encryption key and your Jobs are executed on
Talend JobServer,
copy the key configuration file for Talend Studio to
a directory on the server where Talend JobServer is
installed and set the JVM parameter
-Dencryption.keys.file on
Talend JobServer.
-
If you are rotating the system encryption key while working on a remote project,
set the same encryption key for Talend Administration Center.
-
Copy the key configuration file for Talend Studio to a directory on the server where Talend Administration Center is installed, for example, D:/StudioKeys.
-
Open the file
<TomcatPath>/bin/catalina.sh under
the installation directory of your Talend Administration Center.
-
Add the following line at the beginning of the file:
JAVA_OPTS="-Dencryption.keys.file=/d/StudioKeys/studio.keys"
-
If you are rotating the routine encryption key and your Jobs are executed from Job
Conductor in Talend Administration Center,
copy the key configuration file for Talend Studio to
a directory on the server where Talend Administration Center is
installed and set the JVM parameter
-Dencryption.keys.file for the
corresponding task in Talend Administration Center.
-
Restart your Talend Administration Center for
any reconfiguration on it.