Encryption types

You can specify the encryption type used by a Deployment Automation server, agent, or agent relay. The encryption setting is used to protect secured values.

Supported encryption types

  • LEGACY (uses the legacy method to encrypt data)
  • AES256
  • RSA

Back to top

Encryption keys

External encryption and decryption keys are provided by the user or generated automatically when a server starts (the folder enc-keys is created and stores the keys). Each key is stored with a file name using this pattern:

Pattern Description
<encryption type>-<key index>-E Stores the encryption key.
<encryption type>-<key index>-D Stores the decryption key.
<encryption type>-<key index> Used as a fallback if no files with the above names are found (used when a –E or –D key with the corresponding index cannot be found)
  • If there are no files in the folder enc-keys when a server, agent relay, or agent is started, random keys are stored for the encryption type.
  • The key index can contain one character only.
  • If a key is not found or an error occurs during encryption or decryption, the default hard-coded key is used.
  • The ‘!’ symbol is reserved for the default key index.
  • Data is always encrypted using the latest key (the key with the biggest index).
  • All keys are reloaded when a server restarts.
  • Encrypted data contains the index of the encryption key. The corresponding decryption key should have the same index and be present in the profile.

Back to top

Server encryption

  • Default encryption type: AES256
  • To set the server encryption type, edit the property systemConfig/encryptionAlgorithm in the file da_config.xml.
  • RSA is not supported and needs 'length' database fields that contain encrypted values to be increased.
  • The folder enc-keys is created in: <profile location>/conf/server
  • Data that is encrypted in the database is not re-encrypted during a server upgrade or after the encryption algorithm property changes. If the property changes, secure properties in the file installed.properties are re-encrypted when the server starts.

Back to top

Agent encryption

  • Default encryption type: LEGACY
  • To set the agent encryption type, edit the property locked/agent.strict.encryption.type in the file agent.properties.
  • Non-default encryption is not compatible with old plugins, however the default is less secure.
  • The folder enc-keys is created in: <agent location>/conf/agent
  • If the encryption type property is changed, secure properties in the file agent.properties are re-encrypted when the agent starts.

Back to top

Agent relay encryption

  • Default encryption type: AES256
  • To set the agent relay encryption type, edit the property agentrelay.encryption.type in the file agentrelay.properties.
  • The folder enc-keys is created in: <agent relay location>/conf
  • If the encryption type property is changed, secure properties in the file agentrelay.properties are re-encrypted when the agent relay starts.

Back to top