Security features|V4.3.2| docs|Distributed Database

By default, OBLOADER & OBDUMPER can run after you explicitly specify sensitive information such as the password on the command line. To enhance information security, OBLOADER & OBDUMPER V4.2.0 and later provides methods to encrypt and decrypt sensitive information on command lines.

Use secure-gen to encrypt information

Install OpenSSL and configure environment variables.

Note

To use secure-gen to encrypt information, you must install the OpenSSL toolkit. For more information, see the "View the help information of secure-gen" section in this topic.
Verify that OpenSSL is installed.
```
$ which openssl

/usr/bin/openssl
```

Encrypt sensitive files in the local path.

./secure-gen -n <file_path>

Note

Sensitive information files must meet the specifications described in Property File Format. You can also edit the sensitive information to be encrypted in the CLI. Example:

Run the following command in the {ob-loader-dumper}/tools/ directory.
```
./secure-gen -i
```

Edit the parameters to be encrypted in the CLI and then enter :wq to save and exit.

# Input the sensitive fields below in plain-text respectively.
# Note you can leave any of them as blank, ob-loader-dumper will parse from cli args first, and override any field if there is a conflict.
#   
# Database password.
oceanbase.jdbc.password=******
# Database password for sys tenant.
oceanbase.jdbc.sys.password=******
# Access key for cloud storages like OSS & S3.
cloud.storage.access.key=******
# Secret key for cloud storages like OSS & S3.
cloud.storage.secret.key=******  

:wq

The following table lists the sensitive parameters that can be encrypted by OBLOADER & OBDUMPER.

Parameter	Description
oceanbase.jdbc.password	Optional. The password of a business tenant of OceanBase Database.
oceanbase.jdbc.sys.password	Optional. The password of the sys tenant in OceanBase Database.
cloud.storage.access.key	Optional. The AccessKey ID used to access a cloud storage service such as Amazon Simple Storage Service (S3) or Alibaba Cloud Object Storage Service (OSS).
cloud.storage.secret.key	Optional. The AccessKey secret used to access a cloud storage service such as Amazon S3 or Alibaba Cloud OSS.

You can choose whether to use an existing key as prompted.

$ ./secure-gen
Detected that a key already exists, do you want to use it?
If not, a new key will be generated and overwrite the existing key (y/n):

Enter n to regenerate a key pair by using OpenSSL. By default, the key pair is stored in the <Root directory of the user>/.loaddump/secure/ directory. By default, the public key file is key.pem.pub, and the private key file is key.pem.

Detected that a key already exists, do you want to use it?
If not, a new key will be generated and overwrite the existing key (y/n): n
Generating RSA private key, 4096 bit long modulus
............++
.......................................................++
e is 65537 (0x10001)
Writing RSA key

The key pair has been generated under the directory /Users/chang/.loaddump, please keep it safe.
The encrypted file /Users/chang/.loaddump/secure/secure.rsa has been generated for sensitive information.

If you want to use it, please fill in the corresponding content in conf/decrypt.properties properly.

Enter y to use an existing key pair. OBLOADER & OBDUMPER load the key pair from the /.loaddump/secure/ directory and generate an encrypted file, such as secure.rsa.

Detected that a key already exists, do you want to use it? If not, a new key will be generated and overwrite the existing key (y/n): y
The encrypted file /Users/chang/.loaddump/secure/secure.rsa has been generated for sensitive information.

If you want to use it, please fill in the corresponding content in conf/decrypt.properties properly.

Verify whether the key pair and encrypted file are generated.

$ ls ~/.loaddump/secure/
key.pem     key.pem.pub    secure.rsa

Enter the encrypted information in decrypt.properties in the {ob-loader-dumper}/conf/decrypt.properties directory.

# Absolute path of your secure file, whose name is secure.rsa by default.
# secure.filePath=

# Absolute path of your private key. whose name is key.pem by default.
# privateKey.filePath=

# Decrypt class name. Fill in this field only if you need a custom mechanism of decryption.
# decrypt.className=

View the help information of secure-gen

secure-gen is an executable Shell script. It can encrypt sensitive information fields by using the RSA algorithm. When you run OBLOADER or OBDUMPER, it will parse decrypt.properties in the {ob-loader-dumper}/conf directory to securely obtain sensitive information.

secure-gen is located in the {ob-loader-dumper}/tools/ directory. You can run ./secure-gen -h or directly enter ./secure-gen to view the help information of secure-gen.

$ ./secure-gen -h

Usage: ./secure-gen [-n <file>][-i][-h]
Description:
-n: Specify a to-be-encrypted file of sensitive contents in plain-text, use -i to check out the format.
-i: Input sensitive contents in interactive mode.
-h: Display this message.

Customize an encryption/decryption mechanism

If OpenSSL is not installed, you can perform the following steps to customize an encryption/decryption mechanism.

Create a plaintext file for encryption.

The file to be encrypted must meet the specifications described in "Properties File Format." For more information, visit Properties File Format.
Write a decryption class file in Java. The class definition must meet the following requirements:
- A parameterless constructor function must be defined.
- The class must have a non-static method: public String decrypt(String encryptRaw). The encryptRaw formal parameter indicates the encrypted text. The return value is the decrypted text.
Package the decryption class as a JAR package and place the package in the {ob-loader-dumper}/lib/ directory.
Configure corresponding content in decrypt.properties in the {ob-loader-dumper}/conf directory.

Examples

Create a Maven project and write a CustomDecryptor class. Use Base64 for encoding and decoding.

Note

In a production environment, you can choose an appropriate encryption/decryption algorithm as needed.

Create a plaintext file for encryption and encode the file by using Base64.

# Create a plaintext file.
$ vi password.txt
# Enter the following content in the file. Then, save the file and exit.
oceanbase.jdbc.password=******
oceanbase.jdbc.sys.password=******

# Encrypt the encoded file as custom.key.
$ echo $(base64 password.txt) > /user/loaddump/custom.key

Create a Java project. In the project, CustomDecryptor.java is a custom decryption class that you need to write.

Write the CustomDecryptor class.

package com.example.decrypt;

import java.nio.charset.StandardCharsets;
import sun.misc.BASE64Decoder;

public class CustomDecryptor {

   public CustomDecryptor() {}

    /**
    * This method takes an encrypted string, decrypt it, and return it as a plain string.
    */
   public String decrypt(String encryptedRaw) throws Exception {
       BASE64Decoder decoder = new BASE64Decoder();
       return new String(decoder.decodeBuffer(encryptedRaw), StandardCharsets.UTF_8);
  }
}

Package the CustomDecryptor class as a JAR package and place the package in the {ob-loader-dumper}/lib/ directory to finish setting the decryptor.
```
mvn package && mv target/example-1.0-SNAPSHOT.jar path/to/ob-loader-dumper/lib/
```

Enter corresponding content in decrypt.properties in the {ob-loader-dumper}/conf/ directory.

# Absolute path of your secure file, whose name is secure.rsa by default.
secure.filePath=～/tmp/custom.key
# Absolute path of your private key. whose name is key.pem by default.
# privateKey.filePath=
# Decrypt class name. Fill in this field only if you need a custom mechanism of decryption.
decrypt.className=com.example.decrypt.CustomDecryptor

Note

If you use a custom SDK for encryption and decryption, the privateKey.filePath parameter is optional.

Securely run OBLOADER & OBDUMPER.
```
./obdumper -hxx.x.x.x -P2883 -t example -D example --csv --all
```
Note

When you run OBLOADER & OBDUMPER, you do not need to explicitly declare the -p/--password or --sys-password option.