Rotating encryption keys in Talend Studio
Two encryption keys are now used by Talend Studio and Talend components to encrypt and decrypt passwords with the AES GCM 256 algorithm.
- system.encryption.key: for encrypting and decrypting nexus passwords and the passwords in the connection_user.properties file and the <jobname>_<jobversion>.item Job properties files. All Talend Studio users working on the same project must have the same system encryption key.
- routine.encryption.key: for encrypting and decrypting passwords when building and running Jobs.
The default values of these two keys system.encryption.key.v1 and routine.encryption.key.v1 are stored in the encryption key configuration file /configuration/studio.keys, which is created under the installation directory of your Talend Studio after you run the Talend Studio executable file Talend-Studio-macosx-cocoa.app for the first time. Below is an example of the newly created studio.keys file.
system.encryption.key.v1=ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\=
routine.encryption.key.v1=YBoRMn8gwD1Kt3CcowOiGeoxRbC2eNNVm7Id6vA3hrk\=
If the default system encryption key is not used to encrypt and decrypt any password, you can modify its value by removing its default value and restarting Talend Studio, ObIr3Je6QcJuxJEwErWaFWIxBzEjxIlBrtCPilSByJI\= in above example.
The default routine encryption key value cannot be modified. If you have already logged on to a project, Talend allows you to rotate an encryption key by adding a new version of the key in the encryption key configuration file.
The new version of the system encryption key takes effect for a Job only after you modify and save the Job.
If you need to rotate encryption keys when using Continuous Integration, you can use the -Dstudio.encryption.keys.file parameter to specify the path to the encryption key configuration file. For more information, see Building and Deploying.