There are many kinds of passwords including:
Splunk user passwords.
Splunk cluster/infrastructure passwords (e.g. pass4SymmKey)
Splunk modular input passwords (e.g. DB Connect).
How are these encrypted and how can I make them use the same seed/decryption so that I can distribute encrypted credentials from my Deployment Server?
Am I missing any other types?
For DB Connect 2 and DB Connect 3, splunk is using $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat
file to encrypt/decrypt Identities password and it is not using splunk.secret
for this. If you would like to copy encrypted password from one splunk instance to another splunk instance then you must have same $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat
in both the splunk instance.
If you are trying to setup DB Connect first time then I'll suggest setup/install DB Connect in one splunk instance and copy $SPLUNK_HOME/etc/apps/splunk_app_db_connect/
to another splunk instance (if you are trying to setup active-standby splunk instance) so that you'll have same identity.dat
file in both the splunk instance so you can copy encrypted identities password from one splunk instance to another.
Local Splunk user passwords do not use splunk.secret
. On Linux you can still get away without any password at all, Splunk will just not create an admin then. However, LDAP and DBConnect passwords are dependent on splunk-secret
.
For DB Connect 2 and DB Connect 3, splunk is using $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat
file to encrypt/decrypt Identities password and it is not using splunk.secret
for this. If you would like to copy encrypted password from one splunk instance to another splunk instance then you must have same $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat
in both the splunk instance.
If you are trying to setup DB Connect first time then I'll suggest setup/install DB Connect in one splunk instance and copy $SPLUNK_HOME/etc/apps/splunk_app_db_connect/
to another splunk instance (if you are trying to setup active-standby splunk instance) so that you'll have same identity.dat
file in both the splunk instance so you can copy encrypted identities password from one splunk instance to another.
I know that pass4SymmKey
is encrypted using $SPLUNK_HOME/etc/auth/splunk.secret
which is generated at first-time-run (FTR) of Splunk startup (if the file does not exist, Splunk creates a random one). So use the same one for all of your infrastructure and that covers #2 above. According to this blog, it can even be synchronized after FTR through a somewhat arduous process: https://www.hurricanelabs.com/splunk-tutorials/update-splunk-secret-without-breaking-your-production...