* Home :: Get a random password :: Get a multi-word password :: What is my IP? (v4 | v6)
* My projects

CloudStack management and DB encryption options

Tags: howto

Date: 20260109

Updated: 20260112

The title might sound a little bit ambiguous, so let me clarify what this is about - while trying to set up a very secure CloudStack environment, operators might be looking at the encryption options of the "cloudstack-setup-databases" command which is used when installing CloudStack.

The relevant options are:

  -m MGMTSECRETKEY, --managementserver-secretkey=MGMTSECRETKEY
                        Secret key used to encrypt confidential parameters in
                        db.properties. A string, default is password
  -k DBSECRETKEY, --database-secretkey=DBSECRETKEY
                        Secret key used to encrypt sensitive database values.
                        A string, default is password

So what do they do? 
1 - MGMTSECRETKEY (management key)
    - used to encrypt passwords in the /etc/cloudstack/management/db.properties file
    - the default value is "password"
    - saved as clear text in /etc/cloudstack/management/key

2 - DBSECRETKEY (database key)
    - used to encrypt certain things in the database
    - the default value is "password"
    - the encrypted value is saved as "db.cloud.encrypt.secret" in the db.properties

How to retrieve these keys?
1 - As I said, the management key is saved as text in /etc/cloudstack/management/key so simply open that file.
2 - The database key requires a more convoluted process:

# grep db.cloud.encrypt.secret /etc/cloudstack/management/db.properties
db.cloud.encrypt.secret=ENC(bSCgrXVvUrKGVi2qDKPfDOvqUriq5t+LA0FagFHyqM6LuwM2)

# java -classpath /usr/share/cloudstack-common/lib/cloudstack-utils.jar com.cloud.utils.crypt.EncryptionCLI -p password -i bSCgrXVvUrKGVi2qDKPfDOvqUriq5t+LA0FagFHyqM6LuwM2 -d
password

Is it possible to rotate these keys?
Yes, it is, but it's not very straightforward as "key rotation" is not a proper feature someone has thought to put into CloudStack yet, but if you can save/dump your DB then you can regenerate the keys using the cloudstack-migrate-databases command.

Links:
https://www.shapeblue.com/new-cloudstack-database-encryption-engine/
(c)The Nux(tm) ;-)

No CSS, no Javascript, no some HTML.
No ads, no tracking, no cookies.

Optimised for Dillo browser, great in Lynx, too :)