cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Radhika Nair (JIRA)" <>
Subject [jira] [Updated] (CLOUDSTACK-1743) No Section on About Password and Key Encryption Though Multiple References Appear in the Install Guide
Date Wed, 20 Mar 2013 14:25:15 GMT


Radhika Nair updated CLOUDSTACK-1743:

    Component/s: Doc
> No Section on About Password and Key Encryption Though Multiple References Appear in
the Install Guide
> ------------------------------------------------------------------------------------------------------
>                 Key: CLOUDSTACK-1743
>                 URL:
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Doc
>    Affects Versions: 4.0.1
>            Reporter: Radhika Nair
> The following section is missing in the Install Guide:
> <section id="about-password-encryption">
>   <title>About Password and Key Encryption</title>
>   <para>&PRODUCT; stores several sensitive passwords and secret keys that are
used to provide
>     security. These values are always automatically encrypted:</para>
>   <itemizedlist>
>     <listitem>
>       <para>Database secret key</para>
>     </listitem>
>     <listitem>
>       <para>Database password</para>
>     </listitem>
>     <listitem>
>       <para>SSH keys</para>
>     </listitem>
>     <listitem>
>       <para>Compute node root password</para>
>     </listitem>
>     <listitem>
>       <para> VPN password</para>
>     </listitem>
>     <listitem>
>       <para>User API secret key</para>
>     </listitem>
>     <listitem>
>       <para>VNC password</para>
>     </listitem>
>   </itemizedlist>
>   <para>&PRODUCT; uses the Java Simplified Encryption (JASYPT) library. The
data values are
>     encrypted and decrypted using a database secret key, which is stored in one of &PRODUCT;’s
>     internal properties files along with the database password. The other encrypted values
>     above, such as SSH keys, are in the &PRODUCT; internal database.</para>
>   <para>Of course, the database secret key itself can not be stored in the open
– it must be
>     encrypted. How then does &PRODUCT; read it? A second secret key must be provided
from an
>     external source during Management Server startup. This key can be provided in one
of two ways:
>     loaded from a file or provided by the &PRODUCT; administrator. The &PRODUCT;
database has a new
>     configuration setting that lets it know which of these methods will be used. If the
>     type is set to “file,” the key must be in a file in a known location. If the
encryption type is
>     set to “web,” the administrator runs the utility
>, which relays the key to the Management
>     over a known port.</para>
>   <para>The encryption type, database secret key, and Management Server secret
key are set during
>     &PRODUCT; installation. They are all parameters to the &PRODUCT; database
setup script
>     (cloud-setup-databases). The default values are file, password, and password. It
is, of course,
>     highly recommended that you change these to more secure keys.</para>
> </section>

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message