Transparent Metadata Encryption

Virtual DataPort uses the Apache Derby database to store the metadata (data sources, views, web services…). Virtual DataPort uses authentication and authorization mechanisms to protect the access to the data and the metadata, but not at the operating system level where the data files of Apache Derby are stored. By default, Virtual DataPort stores the passwords (i.e. passwords of the data sources and user accounts) encrypted or hashed but it stores the other metadata without encryption.

You can enable Transparent Metadata Encryption to encrypt all the metadata, not just the passwords. This uses the Advanced Encryption Standard (AES-128). After enabling this feature, the metadata is transparently decrypted when it is accessed so the users do not need to be aware that the metadata they are accessing is encrypted, nor they have to change any setting on their end.

The Transparent Metadata Encryption is unrelated to how the data is transmitted across the network from/to Virtual DataPort.

Enabling Transparent Metadata Encryption

Follow these steps to encrypt the metadata:

  1. Log in to the host where Virtual DataPort runs, with the user account you use to start the Denodo servers.

  2. Stop Virtual DataPort.

  3. From the command line, execute the following:

    For Windows:

    cd <DENODO_HOME>\setup\vdp
    encryptMetadata.bat --interactive
    

    For Linux:

    cd <DENODO_HOME>/setup/vdp
    ./encryptMetadata.sh --interactive
    
  4. The script will prompt you for the password to encrypt the metadata. This does not have to be your administrator password, it can be any password.

    You will need this password to stop encrypting the metadata or to change the encryption password.

  5. Start Virtual DataPort.

Changing the Password for the Transparent Metadata Encryption

Follow these steps to change the password used to encrypt the metadata database:

  1. Log in to the host where Virtual DataPort runs, with the user account you use to start the Denodo servers.

  2. Stop Virtual DataPort.

  3. From the command line, execute the following:

    For Windows:

    cd <DENODO_HOME>\setup\vdp
    encryptMetadata.bat --interactive
    

    For Linux:

    cd <DENODO_HOME>/setup/vdp
    ./encryptMetadata.sh --interactive
    
  4. Enter 1 (Reset password) and press Enter. You will have to provide the password you used to encrypt the metadata and the new password.

  5. Start Virtual DataPort.

Disabling Transparent Metadata Encryption

Follow these steps to decrypt the metadata

  1. Log in to the host where Virtual DataPort runs, with the user account you use to start the Denodo servers.

  2. Stop Virtual DataPort.

  3. From the command line, execute the following:

    For Windows:

    cd <DENODO_HOME>\setup\vdp
    encryptMetadata.bat --interactive
    

    For Linux:

    cd <DENODO_HOME>/setup/vdp
    ./encryptMetadata.sh --interactive
    
  4. Enter 2 (Decrypt) and press Enter. You will have to provide the password you used to encrypt the metadata.

  5. Start Virtual DataPort.