/etc/cloudstack/management/key (the file-based approach) contains a "password" that is used to DECRYPT (every time mgmt server boots) the value of the " db.cloud.encrypt.secret" from the db.properties file - and then this decrypted value (kept in memory) is used to decrypt other various values from the DB. The one-time-ever-encryption of "db.cloud.encrypt.secret" raw value, obviously, happens when you run the cloudstack-setup-databases cloud:<cloud db password>@<cloud db host> -i <management server IP address> -m <mgmt-key> -k <database-encryption-key> command (it's encrypted using the value of the "key" file)
I haven't played with a web-based solution, nor I have seen anyone using this approach - either way, whoever logs into the mgmt server (e.g. an intruder) will be reading the "key" (or web-based value) and then use it further - so no need to complicate with web-based approach, I guess. An interesting thing to know - is how to decrypt one using the other (useful during i.e. parallel upgrades etc): java -classpath /usr/share/cloudstack-common/lib/jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI decrypt.sh input=<db.cloud.encrypt.secret-value> password=<management-key-value> verbose=true The same way you can use <db.cloud.encrypt.secret-value> to decrypt some values from the DB (not that you will probably need it any time soon...) Best, On Sun, 28 Feb 2021 at 02:36, Christopher Brown <vas...@gmx.de> wrote: > Hello everyone, > > I am currently making my first steps with cloudstack and therefore stumble > into some problems and understanding issues. > My first topic is regarding the usage of the Management Server secret key. > > As in the official installation guide, this key ist provided for en- and > decryption of the databasekey. So this should take place everytime the > server / the service is started. However i am facing some trouble in how > the key is passed from the administrator to the system. > > One way of providing the key is via the parameter file and then with an > file containg the password in plain text. > Which can be dealt with. > However the "web" option gives me some headache. When and how is the > administrator going to give the password to system? > I was looking through the guides and goodle, but sadly i didn't find an > proper explanaition. > Maybe someone can give me some glimpse or referral to additional sources? > > With kind regards, > Christopher Brown > -- Andrija Panić
