...
Instead of storing the decrypted data to a file there are a lof of other options, e.g.: -
- use the decrypted data as credentials in subsequent steps or transformations
...
- put the decrypted data into variables visible in a limited scope (e.g. parent job) and use them as credentials for databases, repository etc. (see PDI-6168)
...
- and many more options
We may consider: - symmetric
- Symmetric-key algorithm vs. asymmetric key algorithms (public-key cryptography)
...
- Diffie-
...
- Hellman key exchange is a specific method of exchanging keys.
...
- Ensure integrity e.g. by hash-codes
...
- Key file handling could be optimized in different ways.
...
- Please keep in mind that unencrypted data is in RAM (see PDI-6170 for a circumvention to prevent heap dumps)
...
- Beneath the binary or indexed storage type, an encrypted storage type may be possible in Kettle core.
For screen shots, some further background information and a test run, please see http://kettle.bleuel.com/2011/06/07/security-considerations-and-encryption-with-kettle/