Encrypting passwords for Data Services and Routes
The Talend ESB
Runtime provides a utility to enable you to encrypt passwords for Data Services and
Routes. You can there after use the encrypted values in Talend Studio for
Data Services and Routes that act as clients, or in the .cfg files for
the same type of artifacts.
Information noteNote: This feature is available from
Talend Runtime
8.0.1-R2025-08 onwards.
Follow these steps to use this utility:
- Start the Talend Runtime Container.
- Install the tesb-daikon-encryptor-command feature in the container:
karaf@trun()>feature:install tesb-daikon-encryptor-command
- Get an encrypted string for 'tadmin' for example by entering the following command in
the container:
You will get the following result:
karaf@trun()> tesb:encrypt-daikon tadmin
enc:routine.encryption.key.v1:j3GdW2HSktLV3U/p3QlCdq3GXzqW0DnHgGFEOwmJ+DCV
It’s possible to not use the default encryption key by using the Java system property encryption.keys.file:
- Stop Talend Runtime.
- Execute the following command in a command line
window:
export EXTRA_JAVA_OPTS=-Dencryption.keys.file=<PATH>/keys.properties
Alternatively, you can set it as an environment variable.
-
Restart Talend Runtime.
Every deployed Studio artifact will now use the last key in <PATH>/keys.properties. The tesb:encrypt-daikon command will also encrypt text based on that key.
For example, if the keys.properties is as follows, routine.encryption.key.v2 will be the key used to decrypt by the client Routes and encrypt by the tesb:encrypt-daikon command.routine.encryption.key.v1=YBoRMn8gwD1Kt3CcowOiGeoxRbC2eNNVm7Id6vA3hrk\= routine.encryption.key.v2=9Op2L0vcvvUwcmi/K48Aud9sNxy1PshRHMeygowjmRU\=
If you keep the encryption.keys.file value but modify its content, Talend Runtime must be restarted for the changes to take effect.
To generate encryption keys, you can use the following Java code:
import java.util.Base64;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
...
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256);
SecretKey aesKey = keyGen.generateKey();
String encodedKey = Base64.getEncoder().encodeToString(aesKey.getEncoded());
System.out.println("Generated AES Key (Base64): " + encodedKey);