By default, OBLOADER & OBDUMPER can run after you explicitly specify sensitive information such as the password on the command line. To enhance information security, OBLOADER & OBDUMPER V4.2.0 and later provides methods to encrypt and decrypt sensitive information on command lines.
Use secure-gen to encrypt information
Install OpenSSL and configure environment variables.
Note
To use secure-gen to encrypt information, you must install the OpenSSL toolkit. For more information, see the "View the help information of secure-gen" section in this topic.
Verify that OpenSSL is installed.
$ which openssl /usr/bin/opensslEncrypt sensitive files in the local path.
./secure-gen -n <file_path>Note
Sensitive information files must meet the specifications described in Property File Format. You can also edit the sensitive information to be encrypted in the CLI. Example:
Run the following command in the
{ob-loader-dumper}/tools/directory../secure-gen -iEdit the parameters to be encrypted in the CLI and then enter
:wqto save and exit.# Input the sensitive fields below in plain-text respectively. # Note you can leave any of them as blank, ob-loader-dumper will parse from cli args first, and override any field if there is a conflict. # # Database password. oceanbase.jdbc.password=****** # Database password for sys tenant. oceanbase.jdbc.sys.password=****** # Access key for cloud storages like OSS & S3. cloud.storage.access.key=****** # Secret key for cloud storages like OSS & S3. cloud.storage.secret.key=****** :wqThe following table lists the sensitive parameters that can be encrypted by OBLOADER & OBDUMPER.
Parameter Description oceanbase.jdbc.password Optional. The password of a business tenant of OceanBase Database. oceanbase.jdbc.sys.password Optional. The password of the sys tenant in OceanBase Database. cloud.storage.access.key Optional. The AccessKey ID used to access a cloud storage service such as Amazon Simple Storage Service (S3) or Alibaba Cloud Object Storage Service (OSS). cloud.storage.secret.key Optional. The AccessKey secret used to access a cloud storage service such as Amazon S3 or Alibaba Cloud OSS.
You can choose whether to use an existing key as prompted.
$ ./secure-gen Detected that a key already exists, do you want to use it? If not, a new key will be generated and overwrite the existing key (y/n):Enter
nto regenerate a key pair by using OpenSSL. By default, the key pair is stored in the<Root directory of the user>/.loaddump/secure/directory. By default, the public key file iskey.pem.pub, and the private key file iskey.pem.Detected that a key already exists, do you want to use it? If not, a new key will be generated and overwrite the existing key (y/n): n Generating RSA private key, 4096 bit long modulus ............++ .......................................................++ e is 65537 (0x10001) Writing RSA key The key pair has been generated under the directory /Users/chang/.loaddump, please keep it safe. The encrypted file /Users/chang/.loaddump/secure/secure.rsa has been generated for sensitive information. If you want to use it, please fill in the corresponding content in conf/decrypt.properties properly.Enter
yto use an existing key pair. OBLOADER & OBDUMPER load the key pair from the/.loaddump/secure/ secure.rsa.Detected that a key already exists, do you want to use it? If not, a new key will be generated and overwrite the existing key (y/n): y The encrypted file /Users/chang/.loaddump/secure/secure.rsa has been generated for sensitive information. If you want to use it, please fill in the corresponding content in conf/decrypt.properties properly.
Verify whether the key pair and encrypted file are generated.
$ ls ~/.loaddump/secure/ key.pem key.pem.pub secure.rsaEnter the encrypted information in
decrypt.propertiesin the{ob-loader-dumper}/conf/decrypt.propertiesdirectory.# Absolute path of your secure file, whose name is secure.rsa by default. # secure.filePath= # Absolute path of your private key. whose name is key.pem by default. # privateKey.filePath= # Decrypt class name. Fill in this field only if you need a custom mechanism of decryption. # decrypt.className=
View the help information of secure-gen
secure-gen is an executable Shell script. It can encrypt sensitive information fields by using the RSA algorithm. When you run OBLOADER or OBDUMPER, it will parse decrypt.properties in the {ob-loader-dumper}/conf directory to securely obtain sensitive information.
secure-gen is located in the {ob-loader-dumper}/tools/ directory. You can run ./secure-gen -h or directly enter ./secure-gen to view the help information of secure-gen.
$ ./secure-gen -h
Usage: ./secure-gen [-n <file>][-i][-h]
Description:
-n: Specify a to-be-encrypted file of sensitive contents in plain-text, use -i to check out the format.
-i: Input sensitive contents in interactive mode.
-h: Display this message.
Customize an encryption/decryption mechanism
If OpenSSL is not installed, you can perform the following steps to customize an encryption/decryption mechanism.
Create a plaintext file for encryption.
The file to be encrypted must meet the specifications described in "Properties File Format." For more information, visit Properties File Format.
Write a decryption class file in Java. The class definition must meet the following requirements:
A parameterless constructor function must be defined.
The class must have a non-static method:
public String decrypt(String encryptRaw). TheencryptRawformal parameter indicates the encrypted text. The return value is the decrypted text.
Package the decryption class as a JAR package and place the package in the
{ob-loader-dumper}/lib/directory.Configure corresponding content in
decrypt.propertiesin the{ob-loader-dumper}/confdirectory.
Examples
Create a Maven project and write a CustomDecryptor class. Use Base64 for encoding and decoding.
Note
In a production environment, you can choose an appropriate encryption/decryption algorithm as needed.
Create a plaintext file for encryption and encode the file by using Base64.
# Create a plaintext file. $ vi password.txt # Enter the following content in the file. Then, save the file and exit. oceanbase.jdbc.password=****** oceanbase.jdbc.sys.password=****** # Encrypt the encoded file as custom.key. $ echo $(base64 password.txt) > /user/loaddump/custom.keyCreate a Java project. In the project,
CustomDecryptor.javais a custom decryption class that you need to write.
Write the
CustomDecryptorclass.package com.example.decrypt; import java.nio.charset.StandardCharsets; import sun.misc.BASE64Decoder; public class CustomDecryptor { public CustomDecryptor() {} /** * This method takes an encrypted string, decrypt it, and return it as a plain string. */ public String decrypt(String encryptedRaw) throws Exception { BASE64Decoder decoder = new BASE64Decoder(); return new String(decoder.decodeBuffer(encryptedRaw), StandardCharsets.UTF_8); } }Package the
CustomDecryptorclass as a JAR package and place the package in the{ob-loader-dumper}/lib/directory to finish setting the decryptor.mvn package && mv target/example-1.0-SNAPSHOT.jar path/to/ob-loader-dumper/lib/Enter corresponding content in
decrypt.propertiesin the{ob-loader-dumper}/conf/directory.# Absolute path of your secure file, whose name is secure.rsa by default. secure.filePath=~/tmp/custom.key # Absolute path of your private key. whose name is key.pem by default. # privateKey.filePath= # Decrypt class name. Fill in this field only if you need a custom mechanism of decryption. decrypt.className=com.example.decrypt.CustomDecryptorNote
If you use a custom SDK for encryption and decryption, the
privateKey.filePathparameter is optional.Securely run OBLOADER & OBDUMPER.
./obdumper -hxx.x.x.x -P2883 -t example -D example --csv --allNote
When you run OBLOADER & OBDUMPER, you do not need to explicitly declare the
-p/--passwordor--sys-passwordoption.