Some deployments of Kinetica may require that plain-text passwords in configuration files be obfuscated, for security reasons. A method for doing so has been made available via a set of scripts.
The encryption key generated for performing the obfuscation will be available to
gpudb users to encrypt/decrypt passwords, as
Three utilities are provided to enable obfuscation of plain-text passwords in configuration files.
All scripts are located under
|gpudb_generate_key.sh||Generates an encryption key for use in plain-text obfuscation|
|gpudb_encrypt.sh [<options>] "plain text"|
Returns the obfuscated version of the given plain text
|gpudb_decrypt.sh [<options>] <obfuscated text>|
Returns the plain text version of the given obfuscated text
To encrypt the AuthLDAPBindPassword in the
Generate a new encryption key, if one does not already exist:
Obfuscate the LDAP bind password to be used:
$ /opt/gpudb/core/bin/gpudb_encrypt.sh "secret password" U2FsdGVkX18hfxI6MtztCHZIrrVpkhqmzuB/hGZ3b0umiYNFOtpSIS2JlAhWamTk
The obfuscated password can be verified by decrypting it:
$ /opt/gpudb/core/bin/gpudb_decrypt.sh U2FsdGVkX18hfxI6MtztCHZIrrVpkhqmzuB/hGZ3b0umiYNFOtpSIS2JlAhWamTk secret password
/opt/gpudb/httpd/conf/data.conffile's AuthLDAPBindPassword with the obfuscated password and decryption command:
## Password of user for search during bind AuthLDAPBindPassword "exec:/opt/gpudb/core/bin/gpudb_decrypt.sh U2FsdGVkX18hfxI6MtztCHZIrrVpkhqmzuB/hGZ3b0umiYNFOtpSIS2JlAhWamTk"