Skip to main content Skip to complementary content

Rotating encryption keys in Talend Studio

Two encryption keys are now used by Talend Studio, Talend Administration Center and Talend components to encrypt and decrypt passwords with the AES GCM 256 algorithm.

  • system.encryption.key: for encrypting and decrypting nexus passwords and the passwords in the connection_user.properties file and the <jobname>_<jobversion>.item Job properties files. All Talend Studio users working on the same project must have the same system encryption key.
  • routine.encryption.key: for encrypting and decrypting passwords when building and running Jobs.
Information noteWarning: Talend strongly recommends you rotate the key on one Talend Studio, deploy the new key on Talend Administration Center and Talend JobServer if needed, and then distribute the new key to other Talend Studio applications.

The default values of these two keys system.encryption.key.v1 and routine.encryption.key.v1 are stored in the encryption key configuration file /configuration/studio.keys, which is created under the installation directory of Talend Studio after you run the Talend Studio executable file Talend-Studio-linux-gtk-x86_64 for the first time. Below is an example of the newly created studio.keys file.

system.encryption.key.v1=ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\=
routine.encryption.key.v1=YBoRMn8gwD1Kt3CcowOiGeoxRbC2eNNVm7Id6vA3hrk\=

If the default system encryption key is not used to encrypt and decrypt any password, you can modify its value by removing its default value and restarting Talend Studio, ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\= in above example.

The default routine encryption key value cannot be modified. If you have already logged on to a project, Talend allows you to rotate an encryption key by adding a new version of the key in the encryption key configuration file.

The new version of the system encryption key takes effect for a Job only after you modify and save the Job.

If you need to rotate encryption keys when using Continuous Integration, you can use the -Dstudio.encryption.keys.file parameter to specify the path to the encryption key configuration file. For more information, see Building and Deploying.

About this task

The following procedure shows you how to rotate an encryption key.

Procedure

  1. Open the key configuration file /configuration/studio.keys under the installation directory of your Talend Studio.
  2. Add a new version of the encryption key with an empty value by adding the following line:
    • For the system encryption key:
      system.encryption.key.v<version_number>=
    • For the routine encryption key:
      routine.encryption.key.v<version_number>=

    where <version_number> is a simple integer which represents the version of the new encryption key and should be higher than any existing version number, for example,

    system.encryption.key.v2=
    routine.encryption.key.v2=
    Information noteWarning: Any previous version of the encryption key must not be deleted if it has already been used to encrypt a password.
  3. Save the key configuration file and restart Talend Studio.
    The new version of the encryption key value will be generated and saved in the key configuration file.
  4. If you are rotating the routine encryption key and your Jobs are executed on Talend JobServer, copy the key configuration file for Talend Studio to a directory on the server where Talend JobServer is installed and set the JVM parameter -Dencryption.keys.file on Talend JobServer.
  5. If you are rotating the system encryption key while working on a remote project, set the same encryption key for Talend Administration Center.
    1. Copy the key configuration file for Talend Studio to a directory on the server where Talend Administration Center is installed, for example, D:/StudioKeys.
    2. Open the file <TomcatPath>/bin/catalina.sh under the installation directory of your Talend Administration Center.
    3. Add the following line at the beginning of the file:
      JAVA_OPTS="-Dencryption.keys.file=/d/StudioKeys/studio.keys"
  6. If you are rotating the routine encryption key and your Jobs are executed from Job Conductor in Talend Administration Center, copy the key configuration file for Talend Studio to a directory on the server where Talend Administration Center is installed and set the JVM parameter -Dencryption.keys.file for the corresponding task in Talend Administration Center.
    For more information about how to set JVM parameters for a task in Talend Administration Center, see Setting JVM parameters for specific tasks.
  7. Restart your Talend Administration Center for any reconfiguration on it.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!