How to generate a new encryption.key file?

What is the encryption.key file?

A standalone node or a primary node uses the encryption.key file to encrypt/decrypt secured data at storage. It is generated by the installer itself and can be regenerated afterward through a script.

By default, this file is saved in <node dir>/conf/encryption.key, but can be stored elsewhere (in that case update the com.systar.titanium.encryptionKeyFile entry in the platform.properties file).

This file is generated from a crypto-algorithm that combines a password (defined by a human being) and a salt key (to enhance the security of a single password).

This is a mandatory file for starting a deployment even if no data is configured as encrypted.

As the encryption.key is sufficient to decrypt the data, both must not be stored next to each other.

What is the encryption.salt file?

The encryption.salt file is only used to generate a secured encryption.key file and not used by the deployment itself. It is randomly generated by the installer and could NOT be regenerated afterward.

This file is saved in <node dir>/var/data/titanium-temporal/encryption.salt where node is a primary node or a standalone node.

This file CANNOT be regenerated and MUST be saved. It will be necessary, as the password, to re-generate the encryption.key file.

What is the encryption.hash file?

The encryption.hash file is automatically generated at first startup. It will be then used to check that the encryption.key hasn't changed.

This file is stored in <node dir>/var/data/titanium-temporal/encryption.hash where node is a primary node or a standalone node.

Do not remove this file or it will be regenerated with the currently available  encryption.key file (that could be different that the one used previously by the node)

Using the tnd-generate-encryption-key script

This can be useful to re-generate the key after a disk crash for instance. The password and salt file is your backup of the key.

Execute the script <node dir>/bin/tnd-generate-encryption-key.bat (Windows) or <node dir>/bin/tnd-generate-encryption-key.sh (Linux).

If successful, the files encryption.key and encryption.salt are written to  <node dir>/conf and in <node dir>/var/data/titanium-temporal.

During the script execution, you are prompted to choose a password and both files are generated.

The password must be longer than 8 characters as this is the policy for an admin password.

How-to regenerate encryption-key with a specific salt file
tnd-generate-encryption-key prompts the user to specify the salt file path. If the file exists in path, it will be used otherwise a new salt is generated.

Related Links