Encrypted Credentials in Custom Applications

HEAVY.AI can accept a set of encrypted credentials for secure authentication of a custom application. This topic provides a method for providing an encryption key to generate encrypted credentials and configuration options for enabling decryption of those encrypted credentials.

Generating an Encryption Key

Generate a 128- or 256-bit encryption key and save it to a file. You can use https://acte.ltd/utils/randomkeygen to generate a suitable encryption key.

Configuring the Web Server

Set the file path of the encryption key file to the encryption-key-file-path web server parameter in heavyai.conf:

[web]
encryption-key-file-path = “path/to/file”

Alternatively, you can set the path using the --encryption-key-file-path=path/to/file command-line argument.

Generating Encrypted Credentials

Generate encrypted credentials for a custom application by running the following Go program, replacing the example key and credentials strings with an actual key and actual credentials. You can also run the program in a web browser at https://play.golang.org/p/nNBsZ8dhqr0.

package main

import (
    "crypto/aes"
    "crypto/cipher"
    "crypto/rand"
    
    "fmt"
    "io")
    
// 1. Replace example key with encryption string
var key = "v9y$B&E(H+MbQeThWmZq4t7w!z%C*F-J"

// 2. Replace strings "username", "password", "dbName"with credentials
var stringsToBeEncrypted = []string{
    "username",
    "password",
    "dbName",
}

// 3. Run program to see encrypted credentials in console
func main() {
    for i := range stringsToBeEncrypted {
        encrypted, err := EncryptString(stringsToBeEncrypted[i])
        if err != nil {
            panic(err)
        }
        fmt.Printf("%s => %s\n", stringsToBeEncrypted[i],encrypted)
    }
}

func EncryptString(str string) (encrypted string,err error) {
    keyBytes := []byte(key)
    
    block, err := aes.NewCipher(keyBytes)
    if err != nil {
        panic(err.Error())
    }
    aesGCM, err := cipher.NewGCM(block)
    if err != nil {
        panic(err.Error())
    }
    nonce := make([]byte, aesGCM.NonceSize())
    if _, err = io.ReadFull(rand.Reader, nonce); err!= nil {
        panic(err.Error())
    }
    strBytes := []byte(str)
    
    cipherBytes := aesGCM.Seal(nonce, nonce, strBytes,nil)
    
    return fmt.Sprintf("%x", cipherBytes), err
}

PreviousImplementing a Secure Binary Interface NextLDAP Integration