Encrypt Credentials
To enable enhanced security for sensitive information, the dremio-admin encrypt CLI command lets you encrypt the values of certrain passwords or secrets in Dremio configuration files.
Run dremio-admin encrypt as the dremio service user, not as the root user. Running the command as the root user can cause permissions issues. If it is not possible to run the command as the dremio service user, change the owner and group of the $DREMIO_HOME/data/security folder and underlying files to the dremio service user.
Dremio supports encrypted values for the following properties and applicable configuration files:
| Configuration File | Configuration Property |
|---|---|
| ad.json | bindPassword |
| azuread.json | clientSecret |
| dremio.conf | keyStorePassword |
| keyPassword | |
| trustStorePassword | |
| core-site.xml | fs.s3a.secret.key |
| dfs.adls.oauth2.credential | |
| dremio.azure.key | |
| dremio.azure.clientSecret | |
| oauth.json | clientSecret |
Syntax
Syntax for encrypt command./dremio-admin encrypt <string_to_encrypt>
Example
The following example shows the command for encrypting a user-supplied string, the encrypted output that is returned, and how to use the encrypted output as the value for a configuration property:
Encryptsudo su - dremio ./dremio-admin encrypt <yourSecret>
secret:1.90WZLVORD26pwyAg8qKtQqw9Te8Xom5mdkSMmR_U4knjHvoWHM9urj
bindPassword: "secret:1.90WZLVORD26pwyAg8qKtQqw9Te8Xom5mdkSMmR_U4knjHvoWHM9urj"
Steps to Encrypt a String
-
On the master node, run the
dremio-admin encryptCLI command using the supplied string. -
Copy the entire output starting from
secret:, and use this encrypted string for the value of the password or secret in the configuration file. -
Restart the master node.
Core-site.xml files are not owned by Dremio, so you must add a dremio+ prefix to the secret before it is used in the core-site.xml file. For example, you would use dremio+secret:1.90WZLVORD26pwyAg8qKtQqw9Te8Xom5mdkSMmR_U4knjHvoWHM9urj as the encrypted string.