%BOOK_ENTITIES; ]>

&PRODUCT; stores several sensitive passwords and secret keys that are used to provide security. These values are always automatically encrypted: Database secret key Database password SSH keys Compute node root password VPN password User API secret key VNC password &PRODUCT; uses the Java Simplified Encryption (JASYPT) library. The data values are encrypted and decrypted using a database secret key, which is stored in one of &PRODUCT;’s internal properties files along with the database password. The other encrypted values listed above, such as SSH keys, are in the &PRODUCT; internal database. Of course, the database secret key itself can not be stored in the open – it must be encrypted. How then does &PRODUCT; read it? A second secret key must be provided from an external source during Management Server startup. This key can be provided in one of two ways: loaded from a file or provided by the &PRODUCT; administrator. The &PRODUCT; database has a new configuration setting that lets it know which of these methods will be used. If the encryption type is set to "file," the key must be in a file in a known location. If the encryption type is set to "web," the administrator runs the utility com.cloud.utils.crypt.EncryptionSecretKeySender, which relays the key to the Management Server over a known port. The encryption type, database secret key, and Management Server secret key are set during &PRODUCT; installation. They are all parameters to the &PRODUCT; database setup script (cloud-setup-databases). The default values are file, password, and password. It is, of course, highly recommended that you change these to more secure keys.