Encrypting passwords for Data Services and Routes

The Talend ESB Runtime provides a utility to enable you to encrypt passwords for Data Services and Routes. You can set the encrypted values while developing in Talend Studio, when deploying the artifacts in Talend Administration Center or Talend Management Console if context parameters are used, or after deployment via the .cfg files of the artifacts.

Note: This feature is available from Talend Runtime 8.0.1-R2025-08 onwards.

Follow these steps to use this utility:

Start the Talend Runtime Container.
Install the tesb-daikon-encryptor-command feature in the container:
```
feature:install tesb-daikon-encryptor-command
```
Get an encrypted string by entering the following command in the container:
```
tesb:encrypt-daikon password
```
The output will be something similar to:
```
enc:routine.encryption.key.v1:j3GdW2HSktLV3U/p3QlCdq3GXzqW0DnHgGFEOwmJ+DCV
```

It is possible to not use the default encryption key by using the Java system property encryption.keys.file. To rotate encryption keys, proceed as follows:

Stop Talend Runtime.
If you use Talend Runtime installed as an OS service, append -Dencryption.keys.file=<PATH>/keys.properties to set.JDK_JAVA_OPTION in your effective wrapper.conf file.

If you have a standalone Talend Runtime installation and start the Talend Runtime via the bin/trun script, append -Dencryption.keys.file=<PATH>/keys.properties to EXTRA_JAVA_OPTS in the bin/setenv file.

As an alternative, both types of users can set (or update) the EXTRA_JAVA_OPTS environment variable to include -Dencryption.keys.file=<PATH>/keys.properties, or simply define the property encryption.keys.file in etc/system.properties.
Note that in the keys.properties file, the special character = is escaped with \. For example:
```
routine.encryption.key.v1=YBoRMn8gwD1Kt3CcowOiGeoxRbC2eNNVm7Id6vA3hrk\=
routine.encryption.key.v2=9Op2L0vcvvUwcmi/K48Aud9sNxy1PshRHMeygowjmRU\=
```
You can generate an encryption key using the OpenSSL command line tool and add it to your keys.properties file with the appropriate version number. If the key contains an = character, make sure to escape it:
```
openssl rand -base64 32
```
Example output:
```
Z9W+D7z/FVAoONS9DRnCeHt2JTkalxz1cdyqDBnCv+Y=
```
Given the example output, the key can be specified in the keys.properties file as follows:
```
routine.encryption.key.v1=YBoRMn8gwD1Kt3CcowOiGeoxRbC2eNNVm7Id6vA3hrk\=
routine.encryption.key.v2=9Op2L0vcvvUwcmi/K48Aud9sNxy1PshRHMeygowjmRU\=
routine.encryption.key.v3=Z9W+D7z/FVAoONS9DRnCeHt2JTkalxz1cdyqDBnCv+Y\=
```
Alternatively, you can use the following Java code snippet to generate valid encryption keys:
```
import java.security.SecureRandom;
import java.util.Base64;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
...
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
SecureRandom secureRandom = new SecureRandom();
keyGen.init(256, secureRandom);
SecretKey aesKey = keyGen.generateKey();
String encodedKey = Base64.getEncoder().encodeToString(aesKey.getEncoded());
System.out.println("Generated AES Key (Base64): " + encodedKey);
```
Example output:
```
Generated AES Key (Base64): G+D1UlhJNx8mJGYpzxFz1wrSb/H69Mdp5nNIqKwXfK8=
```
Restart Talend Runtime.

Every deployed Studio artifact will reload the encryption keys from the <PATH>/keys.properties file. The tesb:encrypt-daikon command will use the last key in the file to encrypt text.
For example, if the keys.properties is as follows, routine.encryption.key.v2 will be the key used by the tesb:encrypt-daikon command.
```
routine.encryption.key.v1=YBoRMn8gwD1Kt3CcowOiGeoxRbC2eNNVm7Id6vA3hrk\=
routine.encryption.key.v2=9Op2L0vcvvUwcmi/K48Aud9sNxy1PshRHMeygowjmRU\=
```
If you keep the encryption.keys.file value but modify its content, Talend Runtime must be restarted for the changes to take effect.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here