Radhika Nair created CLOUDSTACK-1743:
----------------------------------------
Summary: No Section on About Password and Key Encryption Though
Multiple References Appear in the Install Guide
Key: CLOUDSTACK-1743
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1743
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Reporter: Radhika Nair
The following section is missing in the Install Guide:
<section id="about-password-encryption">
<title>About Password and Key Encryption</title>
<para>&PRODUCT; stores several sensitive passwords and secret keys that are
used to provide
security. These values are always automatically encrypted:</para>
<itemizedlist>
<listitem>
<para>Database secret key</para>
</listitem>
<listitem>
<para>Database password</para>
</listitem>
<listitem>
<para>SSH keys</para>
</listitem>
<listitem>
<para>Compute node root password</para>
</listitem>
<listitem>
<para> VPN password</para>
</listitem>
<listitem>
<para>User API secret key</para>
</listitem>
<listitem>
<para>VNC password</para>
</listitem>
</itemizedlist>
<para>&PRODUCT; uses the Java Simplified Encryption (JASYPT) library. The
data values are
encrypted and decrypted using a database secret key, which is stored in one
of &PRODUCT;’s
internal properties files along with the database password. The other
encrypted values listed
above, such as SSH keys, are in the &PRODUCT; internal database.</para>
<para>Of course, the database secret key itself can not be stored in the open
– it must be
encrypted. How then does &PRODUCT; read it? A second secret key must be
provided from an
external source during Management Server startup. This key can be provided
in one of two ways:
loaded from a file or provided by the &PRODUCT; administrator. The
&PRODUCT; database has a new
configuration setting that lets it know which of these methods will be
used. If the encryption
type is set to “file,” the key must be in a file in a known location. If
the encryption type is
set to “web,” the administrator runs the utility
com.cloud.utils.crypt.EncryptionSecretKeySender, which relays the key to
the Management Server
over a known port.</para>
<para>The encryption type, database secret key, and Management Server secret
key are set during
&PRODUCT; installation. They are all parameters to the &PRODUCT; database
setup script
(cloud-setup-databases). The default values are file, password, and
password. It is, of course,
highly recommended that you change these to more secure keys.</para>
</section>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
