In this article

Overview

All SnapLogic endpoints use the Standard Encryption setting by default. As an Org admin using Groundplex instances to run your Pipelines, you can encrypt Account credentials that access endpoints from SnapLogic using data/server keys.

Enabling Enhanced Account Encryption

Prerequisites

Google Chrome version 37 and later.
A Groundplex. Windows and Linux machines are supported, but if you plan to host your Snaplex instances in an mixed ecosystem (Windows and Linux OS), the server and data keys must be encrypted on a Linux machine to be used on a Linux-based Snaplex.
If you are using Linux, make sure you have the latest install of the RPM/DEB on each Groundplex node.
A Java 11 environment.

Preparing Groundplex Nodes for Enhanced Encryption

SnapLogic Enhanced Encryption makes use of key sizes that are not supported in the standard installation. After restarting the service, a new key pair is generated automatically and saved to disk, per JCC node. You must copy the generated data keys files (jcc-datakeys.jks and jcc-datakeys.pass) from one node to all of the others in the Groundplex.

Using a Linux machine

On Linux, the keys are in the /etc/snaplogic folder.
After you copy the files to the other nodes, restart the service on each node.
During startup, the nodes upload their public keys to the SnapLogic cloud. You can view the keys displayed in the Encryption Settings dialog.

Using a Windows machine

On Windows Groundplex instances, copy the keys to a secure folder. Only the security administrators and users that run the Groundplex service must have access to the directory.
Add the location of the directories as an environmental variable or Java property in Windows with the name SL_KEY_DIR.

Applying Enhanced Account Encryption to your Org

To configure Enhanced Account Encryption on a Groundplex for your SnapLogic Org:

Log in as an Org admin and navigate to Manager > Settings, then click Configure Encryption.
On the Encryption Settings dialog, click the Groundplex tab (default), then select Enhanced encryption.
1. Verify that the same key is used on all nodes of the Groundplex; otherwise, you cannot configure the Org with Enhanced Encryption because all keys used across an Org must be consistent
2. Select the level of sensitivity based on the following:
  - High. Encrypts passwords and secret keys
  - Medium and High. Encrypts usernames, passwords, and secret keys
  - Low, Medium, and High. Encrypts host name, database names, database URL properties, usernames, passwords, and secret keys.
3. To set a key for the entire Org, select the target key. Only those keys that are available on all nodes are displayed.
4. Confirm the new key. This configuration causes all accounts to be decrypted using the existing keys and then re-encrypted with the newly selected Org-level key.
Click Update to apply enhanced encryption.

When you view the Org Settings, the new Status displays under Configure Encryption:

Scope and Limitations

Once Enhanced Account Encryption is enabled, you are not be able to see or edit the existing values for the encrypted data types.

However, you are able to enter a new value in that field and save it.

If you change your sensitivity level from Low, Medium, High to High, existing accounts remain at the previous level unless you update them; going in the other direction causes account data to be encrypted. All new accounts follow the new sensitivity encryption level.
If you revert to standard encryption, the encrypted data is not automatically decrypted. As long as the server key is still in the node, the encrypted values continue to work.

Key Rotation

To change the enhanced encryption key (key rotation) for an organization, perform the following steps:

Install the latest Groundplex RPM/DEB on one of the Groundplex nodes which is already running with enhanced encryption. This step is required to get the new addDataKey option in the jcc.sh script.
As root user, run the following command:

This command generate a new key pair and append it to the keystore in /etc/snaplogic folder with the specified alias (keyFeb2020).
You must copy the generated data keys files (jcc-datakeys.jks and jcc-datakeys.pass) from this node to all the others in the Org, similar to when originally setting up the enhanced encryption feature.
Restart the nodes in the Org. This step is required to pick up the updated key pair. Each node can be restarted one at a time from the dashboard in order to do an online restart.
Once all the nodes are running with the new key pair loaded, the Enhanced Encryption settings display the drop-down list allowing the Org admin to change to the new key.

After you enable Enhanced Encryption on your Groundplex nodes:

Currently running Pipelines continue when the key is being rotated.
Accounts in the organization are sent to the Groundplex to be decrypted with the old key and then encrypted with the new key.
Accounts that were exported when the Org ran with the old key have the Sensitivity fields encrypted with the old key. When the account information is imported into the Org after the key is rotated, the account is imported with the old key. To convert these imported accounts to the new key, go to Manager and redo the key rotation with the new key.
The updates to the key store using the script are supported only on a Linux-based Groundplex machine. The updated key store can be copied to the Windows-based Groundplex machine to ensure that the rotated key is applied on the Windows machine as well. If using a Groundplex on Windows only, you can install the Linux RPM on a stand-alone machine for the purpose of updating the key store using the jcc.sh script.

Adding Groundplex Nodes

When adding new nodes to a Groundplex, you must ensure that the new nodes have the same key as the other nodes. If a node does not have a matching key, it is ignored until the keys are synchronized. You can redo the configuration through the Enhanced Encryption Settings dialog in the Manager > Settings > Configure Encryption by checking the current key compatibility status.