Month: May 2013

Cloudstack password encryption

I was once asked to update the db password in the files in Cloudstack. I kind of knew the guy who asked me was still in Cloudstack 2.2 land where passwords were in plain old text, but as of Cloudstack 3.x, the passwords in file and other passwords for that fact are encrypted. Lets have a closer look at the file.

The following file on each cloudstack and cloudplatform server contains the db connection details


In this file there is information about the db username and password details.

# CloudStack database tuning parameters 1

In cloudplatform and cloudstack version 3 +, the is encrypted. To change this, run the following file to work out the encrypted password

java -classpath /usr/share/java/cloud-jasypt-1.8.jar 
org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="Password12" 
password="$(cat /etc/cloud/management/key)" verbose=true



is the password you wish to encrypt.

The output should look something like this.

$ java -classpath /usr/share/java/cloud-jasypt-1.8.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="Password12" password="$(cat /etc/cloud/management/key)" verbose=true


Runtime: Sun Microsystems Inc. OpenJDK 64-Bit Server VM 20.0-b12


verbose: true
input: Password12
password: password



The 57nNfvJaN9X54lbJi0pjugc9YylyRo8c is the encrypted password for Password12. Use this as the new password in the file

If you wish to decrypt the password, run the following command:

java-classpath/usr/share/java/cloud-jasypt-1.8.jar org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI decrypt.shinput="57nNfvJaN9X54lbJi0pjugc9YylyRo8c"  password="$(cat /etc/cloud/management/key)"verbose=false

The password is then displayed, in this case Password12