Version:

Obfuscating Plain-Text Passwords

Overview

Some deployments of Kinetica may require that plain-text passwords in configuration files be obfuscated, for security reasons. A method for doing so has been made available via a set of scripts.

The encryption key generated for performing the obfuscation will be available to the root and gpudb users to encrypt/decrypt passwords, as necessary.

Utilities

Three utilities are provided to enable obfuscation of plain-text passwords in configuration files.

All scripts are located under /opt/gpudb/core/bin.

Script Description
gpudb_generate_key.sh Generates an encryption key for use in plain-text obfuscation
gpudb_encrypt.sh [<options>] "plain text"

Returns the obfuscated version of the given plain text

Option Description
--help See help info for running command
--cipher Choose alternate encryption cipher; default cipher is 256-bit AES
gpudb_decrypt.sh [<options>] <obfuscated text>

Returns the plain text version of the given obfuscated text

Option Description
--help See help info for running command
--cipher Choose alternate decryption cipher; default cipher is 256-bit AES

Example

A common use case is in obfuscating the plain-text LDAP password in the HTTPD configuration file when external authentication or external authentication w/ SSL is configured.

To encrypt the AuthLDAPBindPassword in the /opt/gpudb/httpd/conf/data.conf file:

  1. Generate a new encryption key, if one does not already exist:

    $ /opt/gpudb/core/bin/gpudb_generate_key.sh
    
  2. Obfuscate the LDAP bind password to be used:

    $ /opt/gpudb/core/bin/gpudb_encrypt.sh "secret password"
    U2FsdGVkX18hfxI6MtztCHZIrrVpkhqmzuB/hGZ3b0umiYNFOtpSIS2JlAhWamTk
    
  3. The obfuscated password can be verified by decrypting it:

    $ /opt/gpudb/core/bin/gpudb_decrypt.sh U2FsdGVkX18hfxI6MtztCHZIrrVpkhqmzuB/hGZ3b0umiYNFOtpSIS2JlAhWamTk
    secret password
    
  4. Modify the /opt/gpudb/httpd/conf/data.conf file's AuthLDAPBindPassword with the obfuscated password and decryption command:

    ## Password of user for search during bind
    AuthLDAPBindPassword "exec:/opt/gpudb/core/bin/gpudb_decrypt.sh U2FsdGVkX18hfxI6MtztCHZIrrVpkhqmzuB/hGZ3b0umiYNFOtpSIS2JlAhWamTk"