Encrypting passwords in the Preferences using the KNIME-Master-PW

imax · February 25, 2010, 5:35pm

Hi KNIME-Devs,

Little Story
I have a little question about the Master Password in KNIME.
Some of my nodes are storing sensitive information in the preferences (like passwords).
I know that the preferences stuff will be saved unencrypted.
But I would love to be able to encrypt some of my fields in my preferences.

Question
Is it possible to use the KNIME master-password system to encrypt values in the Preferences Window?
Or is the master-password system only for the specific types in the Configuration Dialog?
It would be too bad if I have to “invent” my own master password system just for my nodes…

Thanks you very much in advance.
-imax.

gabriel · February 25, 2010, 6:37pm

Hi imax,
Yes, it is possible to use the standard KNIME en-/decryption mechanism. This works fine within your node classes, but I have never tried to call it from within the preference page (if this is what you meant by Preference Window). In order to use the Master Key, you can call KnimeEncryption#decrypt() resp. #enrypt() which will launch the Master Key dialog. Give it a try!
Best, Thomas

imax · March 4, 2010, 9:05am

Hi gabriel,

Thank you very much. It works like a charm!
If someone needs the solution here we go:


String value = "superman"
// Encrypt
String crypted_value = KnimeEncryption.encrypt(value.toCharArray()); 
// KNIME will ask here for the MasterPW if not already entered.
// Decrypt
String plain_value = KnimeEncryption.decrypt(crypted_value);

Cheers again gabriel!

-imax.

SaranTvivek · November 16, 2021, 1:16pm

Hi,

Could anyone please clarify where the encrypted password is stored in case of using masterkey by Preference Window or the either case calling KnimeEncryption#decrypt() resp.

Thanks,
Saran

gab1one · November 16, 2021, 5:18pm

You decide what to do with the encrypted pw after encrypting it.
So if you save it to the preference store or node settings.

SaranTvivek · November 23, 2021, 8:15am

@gab1one Thanks for your prompt reply.

We connect to ‘Database connector’ node with credentials stored in config files so far. But due to security issues, the credentials should be encrypted before passing to ‘Database connector’ node.

With few findings and recent studies, i’ve incorporated below method to connect to DB.
I would like to know where the encrypted password is stored in the backend if I am using below ‘credential input’ node. Could you please clarify on the same..

Would that be the recommended approach? If not please let me know the best approach to encrypt/decrypt password. I have been using knime for about two weeks and it’s great so this could be simple but I’m overlooking also Google doesn’t seem to be pulling anything up either.

Note: Unfortunately I am using KNIME older version (below V3) so unable to incorporate credential configuration node into my workflow or any other advanced features either.

SaranTvivek · November 25, 2021, 6:49am

Can some knime experts shed some lights on this topic?

gab1one · November 25, 2021, 10:19am

Hi @SaranTvivek,

Is there any reason why you use such an old AP version? The newest 2.x version (2.12.2) is from 2015.
However, the screenshot you posted does not look like that version. Can you please specify which version you are using?

In recent versions of KNIME AP, we have added greatly enhanced encrypted credential handling, which should satisfy your requirement, this includes a dedicated credentias flowvariable type that uses encrypted credentials which are not persisted to disk unless this is explicitly configured.

best,
Gabriel

SaranTvivek · November 26, 2021, 7:39am

Hi @gab1one Thank you.

Due to organization limit we are using older version 3.5.3. We shall update to new version soon. For time being, we shall incorporate this encryption approach in our code. Could you please help us in knowing where the encrypted password is stored in backend for security purpose.

gab1one · November 29, 2021, 9:50pm

I see,
I will need to investigate this a bit more to give a an exact answer, that is also correct for the version of the AP toy are using.

Best regards
Gabriel

SaranTvivek · November 30, 2021, 2:40am

@gab1one Thank You so much. Awaiting for your response.

gab1one · November 30, 2021, 1:58pm

If this checkbox is not checked, credentials are only saved in memory and never persisted to disk, this means users have to enter them every time they execute the workflow, but it is much more secure.
If you check this option, the credentials are stored (weakly encrypted) in the settings store of that node, which is part of the workflow files. Anyone with access to that workflow will be able to use these credentials, either by importing the workflow to their KNIME AP or by cracking the encryption.

best,
Gabriel

SaranTvivek · December 2, 2021, 6:32am

@gab1one I really appreciate your input and support. This is very much helpful for us. Thank you again.

SaranTvivek · December 3, 2021, 7:37am

@gab1one please let us know on what encryption algorithm is being used to encrypt the password stored in workflow files? And how the key used for this encryption is managed in Knime?

Thank you in advance.
Saran

gab1one · December 6, 2021, 10:15am

Hi @SaranTvivek,

Passwords saved with a workflow are NOT secure, access to the workflow file allows anyone to use and restore the password. As any AP version can read that workflow and use the keys.
Instead, use credential flow variables and configuration nodes without storing the passwords.
When configuring a schedule on the KNIME server, stored credentials entered during the workflow configuration are encrypted on a per workflow schedule basis. This means they don’t suffer from that problem. If you have more security questions, you can also reach out to us directly at support@knime.com so we can setup a call.

best,
Gabriel

SaranTvivek · December 9, 2021, 7:15am

Hi @gab1one,

Thank You so much for this input. I will reach out to support@knime.com in case of any more queries.