Overview
Some deployments of Kinetica may require that plain-text passwords in configuration files be obfuscated, for security reasons. A method for doing so has been made available via a set of scripts. The encryption key generated for performing the obfuscation will be available to theroot and gpudb users to encrypt/decrypt passwords, as
necessary.
Utilities
Three utilities are provided to enable obfuscation of plain-text passwords in configuration files. All scripts are located under /opt/gpudb/core/bin.| Script | Description |
|---|---|
gpudb_generate_key.sh | Generates an encryption key for use in plain-text obfuscation |
gpudb_encrypt.sh [<options>] "plain text" | Returns the obfuscated version of the given plain text --help: See help info for running command --cipher: Choose alternate encryption cipher; default cipher is 256-bit AES |
gpudb_decrypt.sh [<options>] <obfuscated text> | Returns the plain text version of the given obfuscated text --help: See help info for running command --cipher: Choose alternate decryption cipher; default cipher is 256-bit AES |
Example
A common use case is in obfuscating the plain-text LDAP password in the HTTPD configuration file when external authentication or external authentication w/ SSL is configured. To encrypt the AuthLDAPBindPassword in the /opt/gpudb/httpd/conf/data.conf file:-
Generate a new encryption key, if one does not already exist:
-
Obfuscate the LDAP bind password to be used:
-
The obfuscated password can be verified by decrypting it:
-
Modify the /opt/gpudb/httpd/conf/data.conf file’s
AuthLDAPBindPassword with the obfuscated password and decryption
command: