Password Encryption
SAYMON can encrypt password and other sensitive information in configuration files and probe settings.
Encryption format
Encrypted values are stored in the following format:
<tags[0]><prefix>:<salt>:<encrypted_value><tags[1]>
For example:
"value": "<<crypt:db7676ec4c7624788349b75e43a3b6a4:1a67b106fabeadf2ac8458395c5e644d>>"
If the field’s value is surrounded with tags, but it doesn’t have a prefix, server will encrypt this field on the next restart.
If the value has both tags and a prefix, server treats it as an encrypted field.
If the value doesn’t have a prefix or tags surrounding it, SAYMON assumes this values isn’t encrypted.
Tags and surrounding prefixes can be configured in the Server configuration.
Configuration file encryption
You can turn on encryption with the server_config
parameter of the server configuration:
"encrypt": {
"server_config": true
}
Mark fields that need to be encrypted with tags (by default – <<
and >>
):
{
"cache": {
"password": "testPass1"
},
"fieldToEncrypt": "<<testPass2>>",
"openTsdb": {
"host": "localhost",
"port": 4242
}
}
Restart SAYMON server to encrypt all marked fields as well as all fields named pass
or password
:
{
"cache": {
"password": "<<crypt:bd5ea51c5ee453220a2616645672e96b:1a67b106fabeadf2ac8458395c5e644d>>"
},
"fieldToEncrypt": "<<crypt:db7676ec4c7624788349b75e43a3b6a4:5602ae7b1a4a8ae8ea6cca845f5d4c5f>>",
"openTsdb": {
"host": "localhost",
"port": 4242
}
}
Tags and surrounding prefixes can be configured in the Server configuration. |
Probe settings encryption
Probe parameters can contain sensitive information (like passwords). SAYMON can encrypt those fields.
To enable probe parameters encryption, set the encrypt.db
parameter in Server configuration to true
:
"encrypt": {
"db": true
}
Following probes support parameter encryption:
-
Database query (DatabaseServerUrl parameter)
-
JMX probe (JmxPassword parameter)
-
FTP probe (FtpPassword parameter)
After setting this parameter, the values of the specified fields will be saved in the database as encrypted strings.
When a user receives JmxPassword
and FtpPassword
fields with the REST API requests, the values will be replaced with 4 asterisks (****
). When a user requests DatabaseServerUrl
parameter, only the DB password will be masked.
Server will return an empty string instead of the decrypted value if there is an error during decryption or encryption was disabled after those fields were encrypted. |