Rotating encryption keys in Talend Studio
Two encryption keys are now used by Talend Studio, Talend Administration Center and Talend components to encrypt and decrypt passwords with the AES GCM 256 algorithm.
- system.encryption.key: for encrypting and decrypting nexus passwords and the passwords in the connection_user.properties file and the <jobname>_<jobversion>.item Job properties files. All Talend Studio users working on the same project must have the same system encryption key.
- routine.encryption.key: for encrypting and decrypting passwords when building and running Jobs.
The default values of these two keys system.encryption.key.v1 and routine.encryption.key.v1 are stored in the encryption key configuration file /configuration/studio.keys, which is created under the installation directory of Talend Studio after you run the Talend Studio executable file Talend-Studio-macosx-cocoa.app for the first time. Below is an example of the newly created studio.keys file.
system.encryption.key.v1=ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\=
routine.encryption.key.v1=YBoRMn8gwD1Kt3CcowOiGeoxRbC2eNNVm7Id6vA3hrk\=
If the default system encryption key is not used to encrypt and decrypt any password, you can modify its value by removing its default value and restarting Talend Studio, ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\= in above example.
The default routine encryption key value cannot be modified. If you have already logged on to a project, Qlik allows you to rotate an encryption key by adding a new version of the key in the encryption key configuration file.
The new version of the system encryption key takes effect for a Job only after you modify and save the Job.
If you need to rotate encryption keys when using Continuous Integration, you can use the -Dstudio.encryption.keys.file parameter to specify the path to the encryption key configuration file. For more information, see Building and Deploying.