Encrypt Credentials using KMS

Password handling in Datacoral

All customer data is encrypted at rest as well as in motion using customer managed KMS keys. Datacoral’s cross-account role does not have decrypt permissions on the KMS keys. This means that Datacoral cannot read any customer data. The credentials needed by the collect slices to connect to SaaS products and databases are also stored encrypted using customer managed KMS keys within your AWS account in Amazon DynamoDB.


  • Data Source Credentials like database connection strings and API keys for SaaS products are stored in DynamoDB encrypted using your KMS keys.
  • Credentials for analytics databases like hive and redshift are also stored encrypted in DynamoDB

When adding slices, credentials can be provided in clear text and Datacoral would encrypt it for you before storing the entry into DynamoDB and decrypt when describing the slice.

However, we do recommend using pre-encrypted credentials, as it allows for you to source control configuration files to automate installations for Data Ops and share configurations without compromising security.

Encode password

Steps to encrypt your password are:

  1. Set your installation name and password in the following variables
  1. Encrypt and encode your password
echo -n ${key} > keyFile && aws kms encrypt --key-id alias/datacoral-${installation} --plaintext fileb://keyFile --output text --query CiphertextBlob | node -e "console.log(JSON.stringify(JSON.parse(JSON.stringify(Buffer.from(fs.readFileSync(0).toString(), 'base64'))).data));"
  1. Verify the encryped password is correct via locally decrypting it using following command
node -e "console.log(JSON.stringify(Buffer.from(<encryptedPasswordArray>).toString('base64')))" | tr -d '"' | base64 --decode > out.txt && aws kms decrypt --ciphertext-blob fileb://out.txt --output text --query Plaintext | base64 --decode

This should return the same non-encrypted password 3. Use the encrypted password (integer array) to add slices