Password encoding options

Owned by Former user (Deleted)
Last updated: Jun 20, 2014 by Former user (Deleted)Version comment
2 min read

Password encoding options

Traditionally Kettle had it's own particular way of encoding passwords.

Passwords stored in ETL metadata can't be simply hashed as they need to be fully available to log into third party systems like databases, slave servers, websites, FTP servers and so on.

The standard encoding or obfuscation system is obscure enough except for the fact that it doesn't use any specific passphrase or password to encode and decode the actual values.  So starting from version 5.1 Kettle offers the possibility to create plugins to encode password.  Encode meaning all of the following options:

  • obfuscate
  • store in clear text
  • symmetrically encrypt
  • asymmetrically encrypt
  • ...

For more details on the plugins, see the plugins section of this SDK.

Configuring password encoding

If you don't configure anything and don't set any KETTLE_PASSWORD_ENCODER_PLUGIN variable the default Kettle Two Way Password encoder will be used.  You can recognize encoded passwords by the "Encryped" prefix string.

If you want to configure the Kettle password encoder specifically, set KETTLE_PASSWORD_ENCODER_PLUGIN=Kettle

AES Password encryption

For the enterprise edition of PDI there is an extra plugin available to encrypt stored passwords (in XML and in repositories) using an AES passphrase. 

Please see the documentation in help.pentaho.com for the most up to date information.

For the AES plugin specifically you need to define a variable called KETTLE_AES_KEY_FILE.  The content of this file (can be placed anywhere) is a 16, 24, 32 character keyphrase corresponding to AES-128, 192 or 256 bit encryption.  For example: MySecretKey12345 (counting character bits in a UTF-8 file encoding).

There's a second variable called KETTLE_AES_KETTLE_PASSWORD_HANDLING.  This one allows the user to specify compatible handling of older Kettle encoded transformations by setting this to "Decode" (case insensitive).  Any other value for KETTLE_AES_KETTLE_PASSWORD_HANDLING will throw an exception when the "Encryption" prefix is found in passwords.  The default behavior in other words is to reject standard encoded passwords.  This will hopefully prevent unintended usage of non-encrypted passwords.  If you do allow it (value "decode") passwords are read with "Encryption" in the prefix and written with "AES" as a prefix. 

The ID of the plugin is AES: set KETTLE_PASSWORD_ENCODER_PLUGIN=AES to choose the plugin. 

You can assume 128-bit keys are always supported by your java platform. If you require stronger encryption, then please refer to your Java platform documentation on how to obtain the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. You can download these, along with the installation instructions from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html (For Java 7, other releases might require a different download and install procedure)

The dependency is to kettle-core.jar and the pdi-ee-plugin, nothing else is needed.