apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-11-04 00:02:37 +01:00
Code Issues Packages Projects Releases Wiki Activity
cloudstack/docs/en-US/about-password-encryption.xml

66 lines
3.2 KiB
XML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<section id="about-password-encryption">
<title>About Password and Key Encryption</title>
<para>&PRODUCT; stores several sensitive passwords and secret keys that are used to provide
security. These values are always automatically encrypted:</para>
<itemizedlist>
<listitem>
<para>Database secret key</para>
</listitem>
<listitem>
<para>Database password</para>
</listitem>
<listitem>
<para>SSH keys</para>
</listitem>
<listitem>
<para>Compute node root password</para>
</listitem>
<listitem>
<para> VPN password</para>
</listitem>
<listitem>
<para>User API secret key</para>
</listitem>
<listitem>
<para>VNC password</para>
</listitem>
</itemizedlist>
<para>&PRODUCT; uses the Java Simplified Encryption (JASYPT) library. The data values are
encrypted and decrypted using a database secret key, which is stored in one of &PRODUCT;s
internal properties files along with the database password. The other encrypted values listed
above, such as SSH keys, are in the &PRODUCT; internal database.</para>
<para>Of course, the database secret key itself can not be stored in the open it must be
encrypted. How then does &PRODUCT; read it? A second secret key must be provided from an
external source during Management Server startup. This key can be provided in one of two ways:
loaded from a file or provided by the &PRODUCT; administrator. The &PRODUCT; database has a
configuration setting that lets it know which of these methods will be used. If the encryption
type is set to "file," the key must be in a file in a known location. If the encryption type is
set to "web," the administrator runs the utility
com.cloud.utils.crypt.EncryptionSecretKeySender, which relays the key to the Management Server
over a known port.</para>
<para>The encryption type, database secret key, and Management Server secret key are set during
&PRODUCT; installation. They are all parameters to the &PRODUCT; database setup script
(cloud-setup-databases). The default values are file, password, and password. It is, of course,
highly recommended that you change these to more secure keys.</para>
</section>
Reference in New Issue View Git Blame Copy Permalink