Enable Password Encryption for Privacera Services#
This topic covers how you can enable encryption of secrets for Privacera services such as Privacera Portal, Privacera Dataserver, Privacera Ranger, Ranger Usersync, Privacera Discovery, Ranger KMS, Crypto, PEG, and Privacera PolicySync. The passwords will be stored safely in keystores, instead of being exposed in plaintext.
By default, all the sensitive data of the Privacera services are encrypted.
CLI Configuration#
-
SSH to the instance where Privacera is installed.
-
Run the following command.
cd ~/privacera/privacera-manager cp config/sample-vars/vars.encrypt.secrets.yml config/custom-vars/ vi config/custom-vars/vars.encrypt.secrets.yml
-
In this file set values for the following:
Enter a password for the keystore that will hold all the secrets. e.g. Str0ngP@ssw0rd
GLOBAL_DEFAULT_SECRETS_KEYSTORE_PASSWORD: "<PLEASE_CHANGE>"
If you want to encrypt data of a Privacera service, you can enter the name of the property.
Examples
To encrypt properties used by Privacera Portal:
PORTAL_ADD_ENCRYPT_PROPS_LIST: - PRIVACERA_PORTAL_DATASOURCE_URL - PRIVACERA_PORTAL_DATASOURCE_USERNAME
To encrypt properties used by Dataserver:
DATASERVER_ADD_ENCRYPT_PROPS_LIST: - DATASERVER_MAC_ALGORITHM
To encrypt new properties used by PolicySync, add the property in the
vars.encrypt.secrets.yml
file displayed in the New tab. And to encrypt the old properties, uncomment the property in thevars.encrypt.secrets.yml
file displayed in the Old tab. For more information on the new and old properties, see PolicySync - Redshift.POLICYSYNC_V2_ADD_ENCRYPT_PROPS_LIST: - REDSHIFT_PASSWORD
POLICYSYNC_ADD_ENCRYPT_PROPS_LIST: - REDSHIFT_PASSWORD
To encrypt properties used by Encryption:
#Additional properties to be encrypted for Crypto CRYPTO_ENCRYPT_PROPS_LIST: - CRYPTO_PORTAL_DATABRICKS_USER_PASSWORD
To
-
Run the following command.
./privacera-manager.sh update
For a Kubernetes configuration, you also need to run the following command:
./privacera-manager.sh restart
-
To check keystores generated for the respective services.
ls ~/privacera/privacera-manager/config/keystores