All Apps and Add-ons
Highlighted

What strategies/seeds does Splunk use to encrypt passwords?

Esteemed Legend

There are many kinds of passwords including:

Splunk user passwords.
Splunk cluster/infrastructure passwords (e.g. pass4SymmKey)
Splunk modular input passwords (e.g. DB Connect).

How are these encrypted and how can I make them use the same seed/decryption so that I can distribute encrypted credentials from my Deployment Server?
Am I missing any other types?

0 Karma
Highlighted

Re: What strategies/seeds does Splunk use to encrypt passwords?

Esteemed Legend

I know that pass4SymmKey is encrypted using $SPLUNK_HOME/etc/auth/splunk.secret which is generated at first-time-run (FTR) of Splunk startup (if the file does not exist, Splunk creates a random one). So use the same one for all of your infrastructure and that covers #2 above. According to this blog, it can even be synchronized after FTR through a somewhat arduous process: https://www.hurricanelabs.com/splunk-tutorials/update-splunk-secret-without-breaking-your-production...

0 Karma
Highlighted

Re: What strategies/seeds does Splunk use to encrypt passwords?

SplunkTrust
SplunkTrust

For DB Connect 2 and DB Connect 3, splunk is using $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat file to encrypt/decrypt Identities password and it is not using splunk.secret for this. If you would like to copy encrypted password from one splunk instance to another splunk instance then you must have same $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat in both the splunk instance.

If you are trying to setup DB Connect first time then I'll suggest setup/install DB Connect in one splunk instance and copy $SPLUNK_HOME/etc/apps/splunk_app_db_connect/ to another splunk instance (if you are trying to setup active-standby splunk instance) so that you'll have same identity.dat file in both the splunk instance so you can copy encrypted identities password from one splunk instance to another.

View solution in original post

0 Karma
Highlighted

Re: What strategies/seeds does Splunk use to encrypt passwords?

Esteemed Legend

Local Splunk user passwords do not use splunk.secret. On Linux you can still get away without any password at all, Splunk will just not create an admin then. However, LDAP and DBConnect passwords are dependent on splunk-secret.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.