Encrypting Credentials

SlashDB supports encryption of credentials used for database connections. To enable encryption, use the secret INI parameter, or set the environment variable SLASHDB_SECRET (takes precedence over INI setting).

If the INI parameter is not set and there is no environment variable, passwords will be stored as plain text.

The secret format can be either:

• 32 alphanumeric characters, or
• 32 bytes encoded Base64

If SlashDB is configured with a secret, then all passwords are encrypted. This also applies to configuration files that were using plain text before the secret was set. After setting the secret, all plain text passwords are encrypted on SlashDB startup.

When using a cluster of SlashDB instances that are synchronized via Memcached, it is necessary to set the same secret on all instances.

Decrypting passwords

The config files can be decrypted with the command /opt/slashdb/bin/slashdb-secret decrypt.

The secret key to use for decryption will be taken from the environment variable or INI file. A decrypted version will overwrite the original configuration files.

Re-encrypting passwords

In case config files have to be re-encrypted with a new secret, the command /opt/slashdb/bin/slashdb-secret decrypt should be used.

A new secret is taken from the environment variable or INI file. The command requires the additional argument --old-secret to decrypt configuration files.

A typical update procedure should be as follows:

Update the environment variable SLASHDB_SECRET or secret in the INI file with a new secret key. Run command with old secret

/opt/slashdb/bin/slashdb-secret decrypt --old-secret [old secret key]

Example:

Using decrypt command with new secret in environment variable or INI file and the old secret w6T0MvIkOYIq1ZazUGIB59FWCa3Brt8Q passed as an argument to re-encrypt the configuration files.

/opt/slashdb/bin/slashdb-secret decrypt --old-secret w6T0MvIkOYIq1ZazUGIB59FWCa3Brt8Q