Encrypting Configuration Properties

By default, a new Kylo installation does not have any of its configuration properties encrypted. Once you have started Kylo for the first time, the easiest way to derive encrypted versions of property values is to post values to the Kylo services/encrypt endpoint to have it generate an encrypted form for you. You could then paste the encrypted value back into your properties file and mark it as encrypted by prepending the values with {cipher}. For instance, if you wanted to encrypt the Hive datasource password specified in application.properties (assuming the password is “mypassword”), you can get its encrypted form using the curl command like this:

$ curl -u dladmin:thinkbig -H "Content-Type: text/plain; charset=UTF-8" localhost:8400/proxy/v1/feedmgr/util/encrypt –d mypassword
29fcf1534a84700c68f5c79520ecf8911379c8b5ef4427a696d845cc809b4af0

You then copy that value and replace the clear text password string in the properties file with the encrypted value:

hive.datasource.password={cipher}29fcf1534a84700c68f5c79520ecf8911379c8b5ef4427a696d845cc809b4af0

The benefit of this approach is that you will be getting a value that is guaranteed to work with the encryption settings of the server where that configuration value is being used. Once you have replaced all properties you wish to have encrypted in the properties files, you can restart the Kylo services to use them.

Encrypting Configuration Property Values with Spring CLI

  1. Install the Spring CLI client Mac example. In this example we will use Home Brew to install it on a Mac:
$ brew tap pivotal/tap
$ brew install springboot
$ spring install org.springframework.cloud:spring-cloud-cli:1.0.0.BUILD-SNAPSHOT
  1. Install the Spring CLI client Linux example:
$ wget http://repo.spring.io/release/org/springframework/boot/spring-boot-cli/1.5.3.RELEASE/spring-boot-cli-1.5.3.RELEASE-bin.tar.gz
$ sudo mkdir /apps/spring-boot
$ sudo tar -xvf /tmp/spring-boot-cli-1.5.3.RELEASE-bin.tar.gz -C /apps/spring-boot/

$ sudo vi  /etc/profile
export SPRING_HOME=/apps/spring-boot/spring-1.5.3.RELEASE
export JAVA_HOME=/usr/lib/jvm/jre-1.8.0
export PATH=$SPRING_HOME/bin:$JAVA_HOME/bin:$PATH


$ source /etc/profile

$ sudo chown -R centos:centos /apps/spring-boot/
$ spring install org.springframework.cloud:spring-cloud-cli:1.3.1.RELEASE
  1. Copy the /apps/kylo/encrypt.key file to the computer with the Spring CLI client (if different)
  2. Encrypt the values. Note: Make sure to use single quotes around the password. If not special characters like $ will cause issues:
$ spring encrypt 'Pretend$Password' --key ./encrypt.key
dda0202d65ac03d250b1bc77afcf1097954wee08fc118b0f804a66xx286f61ae
  1. Decrypt values
$ spring decrypt dda0202d65ac03d250b1bc77afcf1097954wee08fc118b0f804a66xx286f61ae --key encrypt.key