USER MANUALS


Installation Encryption Key

During the installation of the Denodo Platform and the Solution Manager, the installer creates a unique encryption key that the modules of this installation use to encrypt sensitive configuration properties (e.g. passwords) and metadata. In case you are using the automated mode of Solution Manager and the Denodo Platform images referenced for the cluster creation do not contain any encryption key, it will automatically copy the encryption key from the Solution Manager to the Denodo Platform cluster nodes (VDP, Scheduler or Data Catalog).

The encryption key is located in a keystore at <DENODO_HOME>/conf/denodo-key.keystore, and the access configuration to it is stored in the configuration file <DENODO_HOME>/conf/denodo-keystore.json. This configuration can be adapted to the needs of the environment.

Important

Due to this unique installation-specific configuration, metadata exports will not be compatible between installations unless:

  • A custom key is used to export and import in other environments or

  • Both installations have been configured with the same encryption key.

Sharing the metadata database for any product will require to use the same encryption key in all the nodes. Custom export keys will not provide compatibility in this scenario.

The general recommendation is to use just one encryption key for every installation (either Denodo Platform or Solution Manager) in your organization so that you maximize the compatibility of metadata. Read the page Replicate the Encryption Key Across All the Installations for more details on how to share the same encryption key.

There are two main elements related in an installation:

  • Encryption key

  • Keystore password

Encryption key

A random sequence of ASCII characters that will be used as encryption key to secure sensible metadata like passwords in configuration files or metadata objects. This value is stored inside a keystore and the value is not used outside the product. The access to the keystore is configured in the <DENODO_HOME>conf/denodo-keystore.json file. The encryption key on a fresh installation may be changed.

Keystore password

The encryption key is protected in the keystore behind a password. This password may be known by the system administrators and can be updated without requiring any migration of metadata. By default the password is stored in the <DENODO_HOME>conf/denodo-keystore.json but it can be loaded from other locations as described in Configure Keystore Password Loader

The following sections explain how to manage the encryption key in the Denodo Platform:

Add feedback