en-US/about-password-encryption.xml

<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
%BOOK_ENTITIES;
]>
<!-- Licensed to the Apache Software Foundation (ASF) under one
  or more contributor license agreements.  See the NOTICE file
  distributed with this work for additional information
  regarding copyright ownership.  The ASF licenses this file
  to you under the Apache License, Version 2.0 (the
  "License"); you may not use this file except in compliance
  with the License.  You may obtain a copy of the License at
  http://www.apache.org/licenses/LICENSE-2.0
  Unless required by applicable law or agreed to in writing,
  software distributed under the License is distributed on an
  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  KIND, either express or implied.  See the License for the
  specific language governing permissions and limitations
  under the License.
-->
<section id="about-password-encryption">
  <title>About Password and Key Encryption</title>
  <para>&PRODUCT; stores several sensitive passwords and secret keys that are used to provide
    security. These values are always automatically encrypted:</para>
  <itemizedlist>
    <listitem>
      <para>Database secret key</para>
    </listitem>
    <listitem>
      <para>Database password</para>
    </listitem>
    <listitem>
      <para>SSH keys</para>
    </listitem>
    <listitem>
      <para>Compute node root password</para>
    </listitem>
    <listitem>
      <para> VPN password</para>
    </listitem>
    <listitem>
      <para>User API secret key</para>
    </listitem>
    <listitem>
      <para>VNC password</para>
    </listitem>
  </itemizedlist>
  <para>&PRODUCT; uses the Java Simplified Encryption (JASYPT) library. The data values are
    encrypted and decrypted using a database secret key, which is stored in one of &PRODUCT;’s
    internal properties files along with the database password. The other encrypted values listed
    above, such as SSH keys, are in the &PRODUCT; internal database.</para>
  <para>Of course, the database secret key itself can not be stored in the open – it must be
    encrypted. How then does &PRODUCT; read it? A second secret key must be provided from an
    external source during Management Server startup. This key can be provided in one of two ways:
    loaded from a file or provided by the &PRODUCT; administrator. The &PRODUCT; database has a
    configuration setting that lets it know which of these methods will be used. If the encryption
    type is set to "file," the key must be in a file in a known location. If the encryption type is
    set to "web," the administrator runs the utility
    com.cloud.utils.crypt.EncryptionSecretKeySender, which relays the key to the Management Server
    over a known port.</para>
  <para>The encryption type, database secret key, and Management Server secret key are set during
    &PRODUCT; installation. They are all parameters to the &PRODUCT; database setup script
    (cloudstack-setup-databases). The default values are file, password, and password. It is, of course,
    highly recommended that you change these to more secure keys.</para>
</section>