[
https://issues.apache.org/jira/browse/CLOUDSTACK-1743?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Radhika Nair updated CLOUDSTACK-1743:
-------------------------------------
Component/s: Doc
> No Section on About Password and Key Encryption Though Multiple References
> Appear in the Install Guide
> ------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-1743
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1743
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Doc
> Affects Versions: 4.0.1
> Reporter: Radhika Nair
>
> The following section is missing in the Install Guide:
> <section id="about-password-encryption">
> <title>About Password and Key Encryption</title>
> <para>&PRODUCT; stores several sensitive passwords and secret keys that are
> used to provide
> security. These values are always automatically encrypted:</para>
> <itemizedlist>
> <listitem>
> <para>Database secret key</para>
> </listitem>
> <listitem>
> <para>Database password</para>
> </listitem>
> <listitem>
> <para>SSH keys</para>
> </listitem>
> <listitem>
> <para>Compute node root password</para>
> </listitem>
> <listitem>
> <para> VPN password</para>
> </listitem>
> <listitem>
> <para>User API secret key</para>
> </listitem>
> <listitem>
> <para>VNC password</para>
> </listitem>
> </itemizedlist>
> <para>&PRODUCT; uses the Java Simplified Encryption (JASYPT) library. The
> data values are
> encrypted and decrypted using a database secret key, which is stored in
> one of &PRODUCT;’s
> internal properties files along with the database password. The other
> encrypted values listed
> above, such as SSH keys, are in the &PRODUCT; internal database.</para>
> <para>Of course, the database secret key itself can not be stored in the
> open – it must be
> encrypted. How then does &PRODUCT; read it? A second secret key must be
> provided from an
> external source during Management Server startup. This key can be
> provided in one of two ways:
> loaded from a file or provided by the &PRODUCT; administrator. The
> &PRODUCT; database has a new
> configuration setting that lets it know which of these methods will be
> used. If the encryption
> type is set to “file,” the key must be in a file in a known location. If
> the encryption type is
> set to “web,” the administrator runs the utility
> com.cloud.utils.crypt.EncryptionSecretKeySender, which relays the key to
> the Management Server
> over a known port.</para>
> <para>The encryption type, database secret key, and Management Server
> secret key are set during
> &PRODUCT; installation. They are all parameters to the &PRODUCT; database
> setup script
> (cloud-setup-databases). The default values are file, password, and
> password. It is, of course,
> highly recommended that you change these to more secure keys.</para>
> </section>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
