Obfuscating Plain-Text Passwords¶
Overview¶
Some deployments of Kinetica may require that plain-text passwords in configuration files be obfuscated, for security reasons. A method for doing so has been made available via a set of scripts.
The encryption key generated for performing the obfuscation will be available to
the root and gpudb users to encrypt/decrypt passwords, as
necessary.
Utilities¶
Three utilities are provided to enable obfuscation of plain-text passwords in configuration files.
All scripts are located under /opt/gpudb/core/bin.
| Script | Description | ||||||
|---|---|---|---|---|---|---|---|
gpudb_generate_key.sh |
Generates an encryption key for use in plain-text obfuscation | ||||||
gpudb_encrypt.sh [<options>] "plain text" |
Returns the obfuscated version of the given plain text
|
||||||
gpudb_decrypt.sh [<options>] <obfuscated text> |
Returns the plain text version of the given obfuscated text
|
Example¶
A common use case is in obfuscating the plain-text LDAP password in the HTTPD configuration file when external authentication or external authentication w/ SSL is configured.
To encrypt the AuthLDAPBindPassword in the
/opt/gpudb/httpd/conf/data.conf file:
Generate a new encryption key, if one does not already exist:
$ /opt/gpudb/core/bin/gpudb_generate_key.sh
Obfuscate the LDAP bind password to be used:
$ /opt/gpudb/core/bin/gpudb_encrypt.sh "secret password" U2FsdGVkX18hfxI6MtztCHZIrrVpkhqmzuB/hGZ3b0umiYNFOtpSIS2JlAhWamTk
The obfuscated password can be verified by decrypting it:
$ /opt/gpudb/core/bin/gpudb_decrypt.sh U2FsdGVkX18hfxI6MtztCHZIrrVpkhqmzuB/hGZ3b0umiYNFOtpSIS2JlAhWamTk secret password
Modify the
/opt/gpudb/httpd/conf/data.conffile's AuthLDAPBindPassword with the obfuscated password and decryption command:## Password of user for search during bind AuthLDAPBindPassword "exec:/opt/gpudb/core/bin/gpudb_decrypt.sh U2FsdGVkX18hfxI6MtztCHZIrrVpkhqmzuB/hGZ3b0umiYNFOtpSIS2JlAhWamTk"