Installation Encryption Key¶
During the installation of the Denodo Platform and the Solution Manager, the installer creates a unique encryption key that the modules of this installation use to encrypt sensitive configuration properties (e.g. passwords) and metadata. In case you are using the automated mode of Solution Manager and the Denodo Platform images referenced for the cluster creation do not contain any encryption key, it will automatically copy the encryption key from the Solution Manager to the Denodo Platform cluster nodes (VDP, Scheduler or Data Catalog).
The encryption key is located in a keystore at <DENODO_HOME>/conf/denodo-key.keystore
,
and the access configuration to it is stored in the configuration file <DENODO_HOME>/conf/denodo-keystore.json
. This configuration can be adapted to the needs of the environment.
Important
Due to this unique installation-specific configuration, metadata exports will not be compatible between installations unless:
A custom key is used to export and import in other environments or
Both installations have been configured with the same encryption key.
Sharing the metadata database for any product will require to use the same encryption key in all the nodes. Custom export keys will not provide compatibility in this scenario.
The general recommendation is to use just one encryption key for every installation (either Denodo Platform or Solution Manager) in your organization so that you maximize the compatibility of metadata. Read the page Replicate the Encryption Key Across All the Installations for more details on how to share the same encryption key.
There are two main elements related in an installation:
Encryption key
Keystore password
Encryption key
A random sequence of ASCII characters that will be used as encryption key to secure sensible metadata like passwords in configuration files or metadata objects. This value is stored
inside a keystore and the value is not used outside the product. The access to the keystore is configured in the <DENODO_HOME>conf/denodo-keystore.json
file.
The encryption key on a fresh installation may be changed.
Keystore password
The encryption key is protected in the keystore behind a password. This password may be known by the system administrators and can be updated without requiring any migration of metadata.
By default the password is stored in the <DENODO_HOME>conf/denodo-keystore.json
but it can be loaded from other locations as described in Configure Keystore Password Loader
The following sections explain how to manage the encryption key in the Denodo Platform: