Password handling in Datacoral
All customer data is encrypted at rest as well as in motion using customer managed KMS keys. Datacoral’s cross-account role does not have decrypt permissions on the KMS keys. This means that Datacoral cannot read any customer data. The credentials needed by the collect slices to connect to SaaS products and databases are also stored encrypted using customer managed KMS keys within your AWS account in Amazon DynamoDB.
- Data Source Credentials like database connection strings and API keys for SaaS products are stored in DynamoDB encrypted using your KMS keys.
- Credentials for analytics databases like hive and redshift are also stored encrypted in DynamoDB
When adding slices, credentials can be provided in clear text and Datacoral would encrypt it for you before storing the entry into DynamoDB and decrypt when describing the slice.
However, we do recommend using pre-encrypted credentials, as it allows for you to source control configuration files to automate installations for Data Ops and share configurations without compromising security.
Steps to encrypt your password are:
- Set your installation name and password in the following variables
- Encrypt and encode your password
- Verify the encryped password is correct via locally decrypting it using following command
This should return the same non-encrypted password 3. Use the encrypted password (integer array) to add slices