-
Notifications
You must be signed in to change notification settings - Fork 10
Password Encryption
HFMCmd provides the EncryptPassword command for generating encrypted ciphertext from cleartext passwords.
The password to be encrypted is entered on the command-line, and an encrypted version of the password is then echoed to the screen. This encrypted value can then be pasted into control files in place of the cleartext password:
SetLogonInfo:
UserName: admin
Password: !AESsQiNn8JDU1Ks0rhmSDx2wGZZ9Qf1WiqcqfwbcDMjSi0!
HFMCmd provides support for encrypted passwords via two different methods:
- Password based encryption using the AES (Rijndael) 256-bit cipher.
- Encryption using the Windows Protected Data (WPD) facility built in to Windows 2000 and later.
AES is an NIST certified cipher algorithm that uses a master password to encrypt arbitrary text. Decryption of an encrypted item can only be performed using this master key. However, anyone with access to the master key can decrypt any text encrypted with the master key.
To generate an encrypted password using AES:
Z:\> HFMCmd Encrypt secret portable:true
INFO Executing Application command EncryptPassword:
PlainText : ******
Portable : True
INFO Saving encryption key to Z:\Projects\hfmcmd\bin\NET_3.5_HFM_11.1.2.3\HFMCmd.key
WARN An encryption key has just been generated for use in encrypting and decrypting passwords. This
encryption key file is important, and you should consider whether you need to back it up. IF YOU LOSE
THIS ENCRYPTION FILE, YOU WILL NOT BE ABLE TO DECRYPT ANY PASSWORDS ENCRYPTED WITH IT. You will however
be able to create a new encryption key, and use it to generate new encrypted passwords.
INFO If you intend to use the same encrypted password on other machines, you must also copy the
encryption key file Z:\Projects\hfmcmd\bin\NET_3.5_HFM_11.1.2.3\HFMCmd.key to the HFMCmd directory on
each machine.
INFO Encrypted value: !AESsQiNn8JDU1Ks0rhmSDx2wGZZ9Qf1WiqcqfwbcDMjSi0!
AES should be used when an encrypted control file needs to be used on different machines. However, for maximum security, it is imperative that the passwords and the master key file are either kept separate, or locked down as much as possible.
If possible, don't store the passwords on the same machine as the master key file. As the current version of HFMCmd requires the key file to be in the HFMCmd directory, this means the passwords should be stored elsewhere.
If you are scheduling HFMCmd to run via a scheduling tool, store the encrypted password in the scheduler, and pass the encrypted password on the command-line to HFMCmd.
If passwords are to be stored in control files on the same machine as HFMCmd, then use Windows security to look down read access to the master key file to the absolute minimum number of users possible. Ideally, this will only be the Windows account under which HFMCmd will be run.
WPD is a built-in facility provided by Windows for encrypting an item of text, using the login credentials of a Windows user. Text encrypted using WPD can only be decrypted on the machine on which it was encrypted.
Note: Passwords encrypted with WPD cannot be used on another machine.
Z:> HFMCmd Encrypt secret
INFO Executing Application command EncryptPassword:
PlainText : ******
Portable : False
INFO Encrypted value: !WPDAQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAACKP69e0x0CH+FjMBmhT0wQAAAACAAAAAAADZgAAqAAAABAAAAAFmIsy6hzD
DyZ269lcxJHBAAAAAASAAACgAAAAEAAAAHz+j2kM8r/VQpYHSR3gKzMIAAAA0HwM8CTSiFwUAAAAGIIM0++r1CagUEjI++hs1HQO5go!