Obfuscating Plain-Text Passwords


Some deployments of Kinetica may require that plain-text passwords in configuration files be obfuscated, for security reasons. A method for doing so has been made available via a set of scripts.

The encryption key generated for performing the obfuscation will be available to the root and gpudb users to encrypt/decrypt passwords, as necessary.


Three utilities are provided to enable obfuscation of plain-text passwords in configuration files.

All scripts are located under /opt/gpudb/core/bin.

gpudb_generate_key.shGenerates an encryption key for use in plain-text obfuscation
gpudb_encrypt.sh [<options>] "plain text"

Returns the obfuscated version of the given plain text

--helpSee help info for running command
--cipherChoose alternate encryption cipher; default cipher is 256-bit AES
gpudb_decrypt.sh [<options>] <obfuscated text>

Returns the plain text version of the given obfuscated text

--helpSee help info for running command
--cipherChoose alternate decryption cipher; default cipher is 256-bit AES


A common use case is in obfuscating the plain-text LDAP password in the HTTPD configuration file when external authentication or external authentication w/ SSL is configured.

To encrypt the AuthLDAPBindPassword in the /opt/gpudb/httpd/conf/data.conf file:

  1. Generate a new encryption key, if one does not already exist:

    $ /opt/gpudb/core/bin/gpudb_generate_key.sh
  2. Obfuscate the LDAP bind password to be used:

    $ /opt/gpudb/core/bin/gpudb_encrypt.sh "secret password"
  3. The obfuscated password can be verified by decrypting it:

    $ /opt/gpudb/core/bin/gpudb_decrypt.sh U2FsdGVkX18hfxI6MtztCHZIrrVpkhqmzuB/hGZ3b0umiYNFOtpSIS2JlAhWamTk
    secret password
  4. Modify the /opt/gpudb/httpd/conf/data.conf file's AuthLDAPBindPassword with the obfuscated password and decryption command:

    ## Password of user for search during bind
    AuthLDAPBindPassword "exec:/opt/gpudb/core/bin/gpudb_decrypt.sh U2FsdGVkX18hfxI6MtztCHZIrrVpkhqmzuB/hGZ3b0umiYNFOtpSIS2JlAhWamTk"