Overview
Some deployments of Kinetica may require that plain-text passwords in configuration files be obfuscated, for security reasons. A method for doing so has been made available via a set of scripts.
The encryption key generated for performing the obfuscation will be available to
the root and gpudb users to encrypt/decrypt passwords, as
necessary.
Utilities
Three utilities are provided to enable obfuscation of plain-text passwords in configuration files.
All scripts are located under /opt/gpudb/core/bin.
| Script | Description | ||||||
|---|---|---|---|---|---|---|---|
| gpudb_generate_key.sh | Generates an encryption key for use in plain-text obfuscation | ||||||
| gpudb_encrypt.sh [<options>] "plain text" | Returns the obfuscated version of the given plain text
| ||||||
| gpudb_decrypt.sh [<options>] <obfuscated text> | Returns the plain text version of the given obfuscated text
|
Example
A common use case is in obfuscating the plain-text LDAP password in the HTTPD configuration file when external authentication or external authentication w/ SSL is configured.
To encrypt the AuthLDAPBindPassword in the
/opt/gpudb/httpd/conf/data.conf file:
Generate a new encryption key, if one does not already exist:
$ /opt/gpudb/core/bin/gpudb_generate_key.sh
Obfuscate the LDAP bind password to be used:
$ /opt/gpudb/core/bin/gpudb_encrypt.sh "secret password" U2FsdGVkX18hfxI6MtztCHZIrrVpkhqmzuB/hGZ3b0umiYNFOtpSIS2JlAhWamTk
The obfuscated password can be verified by decrypting it:
$ /opt/gpudb/core/bin/gpudb_decrypt.sh U2FsdGVkX18hfxI6MtztCHZIrrVpkhqmzuB/hGZ3b0umiYNFOtpSIS2JlAhWamTk secret password
Modify the
/opt/gpudb/httpd/conf/data.conffile's AuthLDAPBindPassword with the obfuscated password and decryption command:## Password of user for search during bind AuthLDAPBindPassword "exec:/opt/gpudb/core/bin/gpudb_decrypt.sh U2FsdGVkX18hfxI6MtztCHZIrrVpkhqmzuB/hGZ3b0umiYNFOtpSIS2JlAhWamTk"
