All Apps and Add-ons

What strategies/seeds does Splunk use to encrypt passwords?

woodcock
Esteemed Legend

There are many kinds of passwords including:

Splunk user passwords.
Splunk cluster/infrastructure passwords (e.g. pass4SymmKey)
Splunk modular input passwords (e.g. DB Connect).

How are these encrypted and how can I make them use the same seed/decryption so that I can distribute encrypted credentials from my Deployment Server?
Am I missing any other types?

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

For DB Connect 2 and DB Connect 3, splunk is using $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat file to encrypt/decrypt Identities password and it is not using splunk.secret for this. If you would like to copy encrypted password from one splunk instance to another splunk instance then you must have same $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat in both the splunk instance.

If you are trying to setup DB Connect first time then I'll suggest setup/install DB Connect in one splunk instance and copy $SPLUNK_HOME/etc/apps/splunk_app_db_connect/ to another splunk instance (if you are trying to setup active-standby splunk instance) so that you'll have same identity.dat file in both the splunk instance so you can copy encrypted identities password from one splunk instance to another.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Local Splunk user passwords do not use splunk.secret. On Linux you can still get away without any password at all, Splunk will just not create an admin then. However, LDAP and DBConnect passwords are dependent on splunk-secret.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

For DB Connect 2 and DB Connect 3, splunk is using $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat file to encrypt/decrypt Identities password and it is not using splunk.secret for this. If you would like to copy encrypted password from one splunk instance to another splunk instance then you must have same $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat in both the splunk instance.

If you are trying to setup DB Connect first time then I'll suggest setup/install DB Connect in one splunk instance and copy $SPLUNK_HOME/etc/apps/splunk_app_db_connect/ to another splunk instance (if you are trying to setup active-standby splunk instance) so that you'll have same identity.dat file in both the splunk instance so you can copy encrypted identities password from one splunk instance to another.

View solution in original post

0 Karma

woodcock
Esteemed Legend

I know that pass4SymmKey is encrypted using $SPLUNK_HOME/etc/auth/splunk.secret which is generated at first-time-run (FTR) of Splunk startup (if the file does not exist, Splunk creates a random one). So use the same one for all of your infrastructure and that covers #2 above. According to this blog, it can even be synchronized after FTR through a somewhat arduous process: https://www.hurricanelabs.com/splunk-tutorials/update-splunk-secret-without-breaking-your-production...

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.