Rotating encryption keys in Talend Studio
Two encryption keys are now used by Talend Studio, Talend Administration Center and Talend components to encrypt and decrypt passwords with the AES GCM 256 algorithm.
- system.encryption.key: for encrypting and decrypting nexus passwords and the passwords in the connection_user.properties file and the <jobname>_<jobversion>.item Job properties files. All Studio users working on the same project must have the same system encryption key.
- routine.encryption.key: for encrypting and decrypting passwords when building and running Jobs.
The default values of these two keys system.encryption.key.v1 and routine.encryption.key.v1 are stored in the encryption key configuration file /configuration/studio.keys, which is created under the installation directory of your Talend Studio after you run the Talend Studio executable file Talend-Studio-linux-gtk-x86_64 for the first time. Below is an example of the newly created studio.keys file.
system.encryption.key.v1=ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\=
routine.encryption.key.v1=YBoRMn8gwD1Kt3CcowOiGeoxRbC2eNNVm7Id6vA3hrk\=
If the default system encryption key is not used to encrypt and decrypt any password, you can modify its value by removing its default value and restarting Talend Studio, ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\= in above example.
The default routine encryption key value cannot be modified. If you have already logged on to a project, Talend allows you to rotate an encryption key by adding a new version of the key in the encryption key configuration file.
Note that the new version of the system encryption key will take effect for a Job only after you modify and save the Job.