User Community Service Desk Downloads
If you can't find the product or version you're looking for, visit

Encryption Configuration

This article describes how to configure internal encryption between ONE modules and how to encrypt specific properties. In on-premise deployments, all properties listed are provided in the <module>/etc/ file.

Internal encryption

The communication between ONE modules can be encrypted so that any sensitive data exchanged between the modules is protected.

For instance, when jobs are submitted to Data Processing Module (DPM) from public clients, such as ONE Desktop, the information transmitted includes sensitive data from the runtime configuration, typically connection details and credentials for the data sources that are used in the executed plan.

This data is encrypted through a one-time key that is generated by the public client and encrypted using DPM’s public key. To access the data, DPM uses its own private key to decrypt the one-time key, which is in turn used to decrypt the data. If the internal.encryption.* properties are configured, the sensitive data is encrypted again through the provided internal keystore.

You have the option to opt in or out of encrypting the sensitive data using the one-time key. If no one-time key is used, DPM will still execute the summited job. However, if you decide to opt out, you can still manually encrypt the runtime configuration data before any client is used to send it to DPM as long as a compatible keystore is configured in DPE.

Using the one-time key to encrypt the runtime configuration data is the preferred option for public clients like ONE Desktop, as the keystore is pre-shared so that it is available to the client or the user encrypting the sensitive data.

The internal keystore can also be used to decrypt data source credentials coming from other modules, mainly Metadata Management Module (MMM). In this case, the same keystore needs to be configured for both Data Processing Engine (DPE) and MMM as the data is typically decrypted in DPE. This ensures that the sensitive data is securely transmitted from MMM for data processing.

Take note of the following:

  • All other communicating modules, such as MMM, must have these properties configured in the same or compatible way in order to prevent any conflicts.

  • In DPE, all paths used in encryption properties (internal.encryption. and properties.encryption.) must be absolute as they are used both by DPE and external runtime processes.

  • To run remote jobs from ONE Desktop or to use secrets encrypted by a keystore key in the default runtime configuration, you must set the properties as Java options in DPM rather than in the configuration file. For example: -Dinternal.encryption.keystore=<path_to_keystore>.

Make sure the file paths do not contain any space characters.
Property Data type Description



The full path to the keystore used for internal encryption. For example, file:/path/to/keystore.p12.



The full path to a plaintext file with the keystore password. For example, file:/path/to/password-file.



The name of the key used for encryption from the keystore file.

Not used in DPE.



Defines the type of cipher used for encryption.

Default value: AES_CBC. Possible values include: AES, DES, TDES.

Not used in DPE and MMM.

Properties encryption

The properties keystore lets users specify their own keys to encrypt passwords before supplying them to DPM. For example, this can be used for keys that encrypt access to the data sources that users work with.

When the same keystore is configured for DPE, users can make sure that their credentials are protected until they are used to access the data for processing.

Make sure the file paths do not contain any space characters.
Property Data type Description



The full path to the keystore used for properties encryption. For example, file:/path/to/keystore.p12.



The full path to a plaintext file with the keystore password. For example, file:/path/to/password-file.



The name of the key used for encryption from the keystore file.

Not used in DPE and MMM.

Manage secrets during credentials rotation

Credentials rotation often requires updates to your encryption configurations. To ensure your environment remains secure:

  1. Use the encrypt[.bat|.sh] utility to encrypt the new credentials. For instructions about how to use the utility, see Encrypt Passwords.

  2. Ensure all configurations referencing the updated secrets are correctly applied by running integration tests. Look for connectivity or decryption errors in the logs.

  3. In case of issues, verify once more the keystore and encrypted secrets are correctly configured.

Was this page useful?