Dataiku password security

Ankit96140 · January 2021

Do Dataiku use AES-256 encryption to store the 3rd party passwords ? also is there any way to configure these algorithms

Also how frequently the encryption keys are rotated ?

Théophile · February 2021

You can find more information here: https://doc.dataiku.com/dss/latest/security/passwords-security.html#rd-party-system-credentials.

Both AES-128, AES-192 and AES-256 are supported, and you can configure your key length with the dip.properties:

dku.security.passwordsEncryption.aesKeyLength

Keep in mind that depending on your Java version you may need to adjust your JCE policy.

There is no mechanism to rotate the encryption key. Fundamentally, DSS needs to be able to actually send the raw password so the encryption key is stored in the DSS data directory. So if the encryption key is compromised you should assume that the attacker also had access to the encrypted 3rd party password and you should consider that those 3rd party password are also compromised.

Tanguy · January 10

Is there any way to reproduce the encryption outside of DSS (for configuration purposes) without using the dku utility (e.g. by using the dataiku api client)?

Turribeach · January 10

No. You could use Python sub process to execute the command and get the output though.

Tanguy · January 13

We’ve found a workaround! 😊

For context, we configure Dataiku externally using the Dataiku API client. While setting up third-party databases, we initially had to pass an encrypted password because we were using deprecated methods (namely connexion.get_definition() and connexion.set_definition()). However, we discovered that with the newer method (connexion.get_settings().get_raw()), Dataiku automatically encrypts the password when saving the connection settings. This means there’s no need for manual encryption anymore — Dataiku conveniently takes care of it for us! 🙌

Dataiku password security

Answers

Categories

Setup Info

Tags