Transparent Metadata Encryption¶
In the default configuration, Virtual DataPort uses the Apache Derby database to store the metadata (data sources, views, web services…). Virtual DataPort uses authentication and authorization mechanisms to protect the access to the data and the metadata, but not at the operating system level where the data files of Apache Derby are stored. By default, Virtual DataPort stores the passwords (i.e. passwords of the data sources and user accounts) encrypted or hashed but it stores the other metadata without encryption.
You can enable Transparent Metadata Encryption to encrypt all the metadata, not just the passwords. This uses the Advanced Encryption Standard (AES-128). After enabling this feature, the metadata is transparently decrypted when it is accessed so the users do not need to be aware that the metadata they are accessing is encrypted, nor they have to change any setting on their end.
The Transparent Metadata Encryption is unrelated to how the data is transmitted across the network from/to Virtual DataPort.
If you configured Virtual DataPort to store the metadata on an external database, this information does not apply and, to store the metadata encrypted, you have to rely on the features provided by this external database to encrypt data.
Enabling Transparent Metadata Encryption
Follow these steps to encrypt the metadata:
Log in to the host where Virtual DataPort runs, with the user account you use to start the Denodo servers.
Stop Virtual DataPort.
From the command line, execute this:
For Windows:
cd <DENODO_HOME>\setup\vdp encryptMetadata.bat --interactive
For Linux:
cd <DENODO_HOME>/setup/vdp ./encryptMetadata.sh --interactive
The script will prompt you for the password to encrypt the metadata. This does not have to be your administrator password, it can be any password.
You will need this password to stop encrypting the metadata or to change the encryption password.
Start Virtual DataPort.
Changing the Password for the Transparent Metadata Encryption
Follow these steps to change the password used to encrypt the metadata database:
Log in to the host where Virtual DataPort runs, with the user account you use to start the Denodo servers.
Stop Virtual DataPort.
From the command line, execute the following:
For Windows:
cd <DENODO_HOME>\setup\vdp encryptMetadata.bat --interactive
For Linux:
cd <DENODO_HOME>/setup/vdp ./encryptMetadata.sh --interactive
Enter 1 (Reset password) and press Enter. You will have to provide the password you used to encrypt the metadata and the new password.
Start Virtual DataPort.
Disabling Transparent Metadata Encryption
Follow these steps to decrypt the metadata
Log in to the host where Virtual DataPort runs, with the user account you use to start the Denodo servers.
Stop Virtual DataPort.
From the command line, execute this:
For Windows:
cd <DENODO_HOME>\setup\vdp encryptMetadata.bat --interactive
For Linux:
cd <DENODO_HOME>/setup/vdp ./encryptMetadata.sh --interactive
Enter 2 (Decrypt) and press Enter. You will have to provide the password you used to encrypt the metadata.
Start Virtual DataPort.