Skip to main content

Privacera Documentation

Enable password encryption for Privacera Platform services

You can enable secret encryption for the following Privacera Platform services:

  • Privacera portal

  • Data Access Server

  • Privacera Ranger

  • Ranger UserSync

  • Discovery

  • Ranger KMS

  • Crypto

  • PEG

  • PolicySync

The passwords will be stored safely in keystores, instead of being exposed in plaintext. By default, all the sensitive data of the Privacera services are encrypted.

To enable password encryption for Privacera Platform services, follow these steps:

  1. SSH to the instance where Privacera is installed.

  2. Run the following command.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.encrypt.secrets.yml config/custom-vars/
    vi config/custom-vars/vars.encrypt.secrets.yml
    
  3. Enter a password for the keystore that will hold all the secrets. For example: Str0ngP@ssw0rd.

    GLOBAL_DEFAULT_SECRETS_KEYSTORE_PASSWORD:"<PLEASE_CHANGE>"
  4. If you want to encrypt the data of a Privacera service, enter the name of the property.

    • To encrypt properties used by the Privacera Portal:

      PORTAL_ADD_ENCRYPT_PROPS_LIST:-PRIVACERA_PORTAL_DATASOURCE_URL-PRIVACERA_PORTAL_DATASOURCE_USERNAME
    • To encrypt properties used by the Data Access Server:

      DATASERVER_ADD_ENCRYPT_PROPS_LIST:-DATASERVER_MAC_ALGORITHM
    • To encrypt properties used by Encryption:

      #Additional properties to be encrypted for Crypto
      CRYPTO_ENCRYPT_PROPS_LIST:-
  5. Run the following command.

    ./privacera-manager.sh update
    
  6. If you have a Kubernetes configuration, run the following command:

    ./privacera-manager.sh restart
  7. Check the generated keystores for the respective services:

    ls ~/privacera/privacera-manager/config/keystores