Encrypting passwords in Teiid

Version 4

    WARNING this article is out of date - please refer to more recent documentation.


    Teiid can make use of passwords in configuration files in multiple places, such as for the "superUser" account in the "deploy.properties" file or a password for a RDBMS in a Connector binding.


    By default, passwords are stored in clear text. If the system where Teiid is deployed has strict security requirements, Teiid provides scripts that will help you encrypt the passwords and replace the clear text passwords with encrypted ones (these became available in 6.2). Teiid uses a symmetric AES 128 bit encryption key to encrypt the passwords.


    You can find "keystore.sh" and "keystore.bat" scripts under "bin" folder of the <teiid-install>. Before you can encrypt a password, you need to first create a new security key along with a keystore file by executing


         ./keystore.sh -create


    That will create the "teiid.keystore" file in the "deploy" directory of <teiid-install>. Now you can use the below command to encrypt any plain text password


        ./keystore.sh -encrypt mySecretPassword


    Upon executing this command, it will produce an encoded form of the password string as


        Encypted Text:{teiid-encrypt}u+YpG+XVaHvlHx9cQqauNw==


    Now you can replace your plain text password in the configuration files with encrypted text as above. You need to repeat the encrypting process for each and every password you have in the configuration or which ever you want to be secure. Once you are done, just start using Teiid as before. Thats it!


    Please note that the encrypted forms of the passwords are valid as long as you keep the "teiid.keystore" intact.  If somebody tampers with it or if you created a new one, then these passwords will no longer work and you would need to re-encrypt all the passwords with the new key.


    Also, if you encrypted your passwords in the VDB file, and if you shared your VDB with someone else who does not have same "teiid.keystore"  or has  a different "teiid.keystore", decryption will not work in their Teiid runtime system. In this situation you would  need to either share your "teiid.keystore" file along with VDB, or they need to generate and replace the passwords using their key file.