How to apply encryption on passwords if password is passed on Parameters and not in password fields

[vkydhyani]

Hi Team,
I am not sure if this is the right forum for this question, But I am facing one challenge and seeking ideas and best practices to do this.
So, When I add a new connection to Snowflake using table Input, I am basically using username password and private key file as security.

But as you can guess I am actually passing the password of private key file in the parameters, Is there a way i can pass encrypted password or something in param?

I have the same issue in Rest Client, where I am not sure how to pass encrypted password in Param.

Any help will be appreciated. thanks

[bamaer]

as explained in the docs, Apache Hop uses password obfuscation for password fields in relational database connections and other password fields.
This is not full encryption, we need to be able to send the clear text password in the connection. With obfuscation, instead of the clear text password, Apache Hop will write something like Encrypted 2be98afc86aa7f2e4cb79ce10df90acde.

Ideally, you'll use a variable (e.g. ${MY_DB_PASSWORD} in the connection field in your project and specify the password value in an environment configuration file. Thi allows you to keep your code (project) and configuration (environments and environment configuration files) separate.

As an alternative, If you don't want to store your passwords in a file, you could add parameters to your workflows and pipelines and pass the password as a parameter value in runtime.

We plan to implement integration with secret stores in a future release, but that is not available yet.

[vkydhyani]

The connection I am trying to access is snowflake, Like shown below - As this password is in Option tab I cant encrypt it. Is there a way to do this.

[hansva]

no unfortunately only password fields can be obfuscated.

[bamaer]

that's not possible (yet) afaik, but it's an option or a set of options we could consider adding to the Snowflake connection. feel free to create a feature request so we can keep trace of this.

[dave-csc]

Hi @vkydhyani,

I use this workaround in situations where an encypted/obfuscated field is needed, but can't be used in such way in Hop. I simply decrypt it in real time 😅 :

1. Store the encrypted field in a configuration file, as you would do with a normal password (insert the value, and then use the Encode value button)
2. In your pipeline, use a Get variables transform to retrieve this field (save it in a field named e.g. pwd_encrypted)
3. Link this to a User Defined Java Expression, and configure it as following:
   • New field: pwd_decrypted
   • Java expression: org.apache.hop.core.encryption.Encr.decryptPasswordOptionallyEncrypted(pwd_encrypted)
   • Value type: String

You will get the decrypted field in the field pwd_decrypted, and you can use it for example in REST client as header or parameter.

Just a side note: beware of the log level of your workflows/pipelines, the more detailed it is the higher is the risk that your decrypted field appears somehow in the log trace (especially if you take the next step to store the pwd_decrypted field in a variable). You probably don't want this...

Hope this helps

[gmitter-ef]

We are applying also exactly this workaround, and can verify the problems of unencrypted passwords in the logs when level is set to Debug, or when the REST step fails.