Set Up Password Encryption in Datameer

Password encryption with Keyczar is only supported for Enterprise customers. Ask your Datameer representative to receive the plug-in.
For password encryption, Datameer uses the KeyczarTool.

Learn how best to set up Datameer to use password encryption. Using this setup, passwords to a database or the admin password for Datameer itself are encrypted in the live.properties or default.properties files. If you are using multiple property files, make sure that these passwords are only set in the overriding file. By default the following passwords are saved as plain text:

  • system.property.db.password
  • mail.password 
  • admin.password
  • das.superuser.password

This guide shows you how to encrypt the above passwords using Keyczar and set up Datameer to use these encrypted values.

Requirements

The following requirements need to be met to use password encryption with Datameer.

  • Datameer v5.4 or above
  • The plugin-crypto-keyczar-<datameerVersion>.zip plug-in (can be obtained from Datameer services representatives) 
  • Path name to a directory where the keystore file is saved
  • The JAVA_HOME environment variable needs to point to the same JAVA where Datameer loads 

Setup Instructions

  1. Before making changes to the Datameer server, stop the Datameer application using the following command:

    <datameerApplicationFolder>/bin/conductor.sh stop
  2. In the default.properties or live.properties file related to your installation, change the property crypto.implementation to Keyczar.

    # Defines the cryptographic implementation to use to decrypt encrypted properties in our configuration files
    # Datameer provides two implementations: noop, keyczar
    crypto.implementation=keyczar

    The encryption of properties in Datameer is disabled per default. Datameer provides two implementations out of the box. 

    • noop (No operation, passes values directly through)
    • keyczar (uses the Keyczar library to encrypt/decrypt values)
  3. In the default.properties or live.properties file related to your installation, set the property keyczar.key.file=. This is a path to the directory where the file lives.

    # In case crypto.implementation=keyczar is used, a path to the keystore directory must be set.
    # This can be a relative path from Datameer home or an absolute path.
    keyczar.key.file=<path/to/keystore-directory>
  4. Copy the plug-in plugin-crypto-keyczar-<datameerVersion>.zip to the etc/custom-plugins folder.

    mv plugin-crypto-keyczar-<datameerVersion>.zip <datameerApplicationFolder>/etc/customplugins
  5. Create a keystore file. Note that the keystore directory needs to already exist before this step can be taken. Also the keystore file is named meta.

    bin/keyczar.sh create --location=<keystore-directory> --purpose=crypt
  6. Create and add a new key file (if it doesn't already exist).

    bin/keyczar.sh addkey --location=<path/to/keystore-directory> --status=primary
  7. Create encrypted passwords using the crypt.sh script (found under <datameerApplciationFolder>/bin/crypt.sh) and copy these encrypted passwords into the default.properties or live.properties files used for your installation.

     <datameerApplicationFolder>/bin/crypt.sh -e "12345"
    ACPmhEUjUWtKwO9qk-KXNFpEN0BKLIha2VueI2zrlpOJzf4IDwRIr7FK-qA9aCwClugnX4h2vyJA
  8. After copying all encrypted passwords into the *.properties files, restart the Datameer application.

    <datameerApplicationFolder>/bin/conductor.sh start

Keyczar Algorithms

When doing encryption/decryption, Datameer uses AES as an algorithm. No alternative algorithms are currently supported. By default, the keys are 128 bits. 192 and 256 bit keys are also supported when the Java Cryptography Extension (JCE) Unlimited Strength file is installed.

The following command creates a key using AES with 128 bits:

bin/keyczar.sh create --location=<keystore-directory> --purpose=crypt
bin/keyczar.sh addkey --location=<keystore-directory> --status=primary --size=128
bin/crypt.sh -e dap

The following command creates a key using AES with 256 bits:

bin/keyczar.sh create --location=<keystore-directory> --purpose=crypt
bin/keyczar.sh addkey --location=<keystore-directory> --status=primary --size=256
bin/crypt.sh -e dap

Troubleshooting

When using a custom size an exception might occur: 

Caused by: java.security.InvalidKeyException: Illegal key size or default parameters.

To fix this, make sure the unlimited strength file is installed.

The following files are required:

These files must be installed under $JAVA_HOME/jre/lib/security/.