Skip to main content
Pentaho Documentation

Apply AES Password Encryption

Overview

Explains how to apply AES password security.

There are two ways to secure passwords in PDI: Kettle obfuscation and AES.  Kettle obfuscation is applied by default. To increase security, use the Advanced Encryption Standard (AES) instead.  The password security method you choose is applied to all passwords, including those in database connections, transformation steps, and job entries.  To learn more about AES, see http://en.wikipedia.org/wiki/Advanced_Encryption_Standard.

If you switch password security methods, all existing passwords will also use new method.

Create an AES Key File

The key file is a text file that contains the encryption key.  You can use 128-bit, 192-bit, or 256-bit encryption strengths.  Based on your country of residence, there might be legal restrictions on using the stronger 192-bit or 256-bit encryption strengths.  To learn more about legal restrictions, see the Oracle site. 

To use the 192-bit or 256-bit encryption strengths, install the Java Cryptography Extension (JCE).  You do not need to install the JCE to use 128-bit encryption.  To learn more about the JCE, see the Oracle site.  

  1. Create a text file that contains a key phrase that is the correct length for the encryption strength you have chosen.  Note that leading and trailing whitespaces are ignored.
  2. Save and close the file.

Safeguard the key file.  If the key file becomes corrupted or lost, passwords cannot be decrypted.

Specify AES Variables in kettle.properties

Set AES-specific variables in the kettle.properties file for Spoon, the DI Server, and any clusters.  

  1. Open the kettle.properties file for Spoon.  By default, the kettle.properties file is in the user’s home directory.
  2. Add the following variables and values.
Variable Description Value
KETTLE_PASSWORD_ENCODER_PLUGIN Required.  Indicates the type of plugin used.  AES
KETTLE_AES_KEY_FILE Required. Indicates the path to the key file. Path to the key file.   Relative paths are resolved against the Kettle working directory, NOT the location of the kettle.properties file. Example: c:/securearea/keyfile.txt 
KETTLE_AES_KETTLE_PASSWORD_HANDLING Optional.  Maintain backwards compatibility by setting this variable to Decode.  If this is not set, Kettle encoded passwords are not decoded. DECODE
  1. Save and close the kettle.properties file.
  2. Repeat this process for other kettle.properties files on the DI Server and Cluster nodes.
  3. You might need to stop and restart Spoon, DI Server, and the Cluster nodes for the kettle.properties file to take effect.

Verify Correct Application

After you have applied AES Password encryption, test to make sure it works properly.

  1. Start Spoon.
  2. Create a blank transformation.
  3. Add a database connection that requires a password.  
  4. Save, then the close the transformation.
  5. Use a text editor to open the transformation you just saved, then search for the name of the connection you created.
  6. Examine the password.  If the password is preceded by the letters AES, the encryption method was applied properly.  
  7. Close the transformation.