All Apps and Add-ons

What strategies/seeds does Splunk use to encrypt passwords?

woodcock
Esteemed Legend

There are many kinds of passwords including:

Splunk user passwords.
Splunk cluster/infrastructure passwords (e.g. pass4SymmKey)
Splunk modular input passwords (e.g. DB Connect).

How are these encrypted and how can I make them use the same seed/decryption so that I can distribute encrypted credentials from my Deployment Server?
Am I missing any other types?

0 Karma
1 Solution

harsmarvania57
Ultra Champion

For DB Connect 2 and DB Connect 3, splunk is using $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat file to encrypt/decrypt Identities password and it is not using splunk.secret for this. If you would like to copy encrypted password from one splunk instance to another splunk instance then you must have same $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat in both the splunk instance.

If you are trying to setup DB Connect first time then I'll suggest setup/install DB Connect in one splunk instance and copy $SPLUNK_HOME/etc/apps/splunk_app_db_connect/ to another splunk instance (if you are trying to setup active-standby splunk instance) so that you'll have same identity.dat file in both the splunk instance so you can copy encrypted identities password from one splunk instance to another.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Local Splunk user passwords do not use splunk.secret. On Linux you can still get away without any password at all, Splunk will just not create an admin then. However, LDAP and DBConnect passwords are dependent on splunk-secret.

0 Karma

harsmarvania57
Ultra Champion

For DB Connect 2 and DB Connect 3, splunk is using $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat file to encrypt/decrypt Identities password and it is not using splunk.secret for this. If you would like to copy encrypted password from one splunk instance to another splunk instance then you must have same $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat in both the splunk instance.

If you are trying to setup DB Connect first time then I'll suggest setup/install DB Connect in one splunk instance and copy $SPLUNK_HOME/etc/apps/splunk_app_db_connect/ to another splunk instance (if you are trying to setup active-standby splunk instance) so that you'll have same identity.dat file in both the splunk instance so you can copy encrypted identities password from one splunk instance to another.

0 Karma

woodcock
Esteemed Legend

I know that pass4SymmKey is encrypted using $SPLUNK_HOME/etc/auth/splunk.secret which is generated at first-time-run (FTR) of Splunk startup (if the file does not exist, Splunk creates a random one). So use the same one for all of your infrastructure and that covers #2 above. According to this blog, it can even be synchronized after FTR through a somewhat arduous process: https://www.hurricanelabs.com/splunk-tutorials/update-splunk-secret-without-breaking-your-production...

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...