> For the complete documentation index, see [llms.txt](https://docs.pentaho.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.pentaho.com/pdia-admin/9.3-administer/secure-the-pentaho-system/user-security/advanced-security-providers/aes-security.md). # AES security There are two ways to secure passwords in PDI: Kettle obfuscation or Advanced Encryption Standard (AES). Kettle obfuscation is applied by default, or you can use AES to increase security. The password security method you choose is applied to all passwords including those in database connections, transformation steps, and job entries. To learn more about AES, see . **Note:** If you switch password security methods, all existing passwords will also use the new method. ## Install the Java Cryptography Extension (JCE) 1. Back up the files in your `lib/security` folder for the instance of Java that your instance of Pentaho is using. The exact location of the folder depends on whether you are pointing to a standalone version of the JDK or JRE, or whether you are using the version of Java that is bundled with the Wizard. * Wizard: `/java/lib/security` * JDK: `/jre/lib/security` * JRE: `/lib security` 2. Download the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" from the Oracle website: * \ Make sure that you download the version of the JCE that corresponds with your Java version. For example, if you are using Java 8, download JCE 8. See the **JDBC drivers reference** in the Try Pentaho Data Integration and Analytics document for the version of Java that Pentaho supports. 3. Stop the server. 4. Unzip the JCE files and copy the `local_policy.jar` and `US_export_policy.jar` files into the `lib/security` folder. 5. Restart the server. 6. Create the [AES key file](broken://pages/ryetu029khdDxXEoRstv). **Note:** Country restrictions may apply when using higher encryption strengths. To learn more about the JCE, see the [Oracle](http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html) site. To use 192-bit or 256-bit encryption strengths with Java 8, you must install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files. If you only want to use 128-bit encryption or you are using Java 11, proceed to [Create an AES key file](broken://pages/ryetu029khdDxXEoRstv). ## Create an AES key file The key file is a text file that contains the encryption key. 1. Create a text file that contains a key phrase, such as *!@ExampleKey#123*. Leading and trailing white spaces are ignored. 2. Save and close the file. **Note:** Safeguard the key file. If the key file becomes corrupted or lost, passwords cannot be decrypted. ## Specify AES variables in kettle.properties Set **AES**-specific variables in the `kettle.properties` file for Spoon, the Pentaho Server, and any clusters. 1. Open the `kettle.properties` file for Spoon. By default, the `kettle.properties` file is in the user’s home directory. 2. Add the following variables and values. | Variable | Description | Value | | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | **KETTLE\_PASSWORD\_ENCODER\_PLUGIN** |

Required

Indicates the type of plugin used.

| *AES* | | **KETTLE\_AES\_KEY\_FILE** |

Required

Indicates the path to the key file.

| Path to the key file. Relative paths are resolved against the Kettle working directory, NOT the location of the `kettle.properties` file. Example: `c:/securearea/keyfile.txt` | | **KETTLE\_AES\_KETTLE\_PASSWORD\_HANDLING** |

(Optional)

Maintain backwards compatibility by setting this variable to Decode. If this is not set, Kettle encoded passwords are not decoded.

| `DECODE` | 3\. Save and close the \`kettle.properties\` file. 4. Repeat this process for other `kettle.properties` files on the Pentaho Server and cluster nodes. 5. You might need to stop and restart Spoon, Pentaho Server, and the cluster nodes for the `kettle.properties` file to take effect. ## Configure Pentaho for AES encryption You must configure Tomcat for AES encryption. Perform the following steps to configure Tomcat: 1. Navigate to the `server\pentaho-server\tomcat\webapps\pentaho\WEB-INF\classes` directory and open the `kettle-password-encoder-plugins.xml` file with any text editor. 2. Add or uncomment the following code: ``` AES Password Encoder org.pentaho.support.encryption.AESTwoWayPasswordEncoder true ``` 3. Save and close the file. Tomcat is configured for AES encryption. 4. Navigate to the `design-tools\data-integration\classes` directory and open the`kettle-password-encoder-plugins.xml` file with any text editor. 5. Add or uncomment the following code: ``` AES Password Encoder org.pentaho.support.encryption.AESTwoWayPasswordEncoder true ``` 6. Save and close the file. PDI client is configured for AES encryption. ## Create encrypted AES password Perform the following steps on the machine with the Pentaho Server to create an encrypted AES password. 1. From a command line, navigate to the `server/pentaho-server` directory. 2. Run the following command according to your environment type and desired password: * Windows: `encr.bat -aes ` * Linux: `encr.sh -aes ` An encrypted password is created and displays in the console window. ## Verify correct application After you have applied AES Password encryption, test to make sure it works properly: 1. Start Spoon. 2. Create a blank transformation. 3. Add a database connection that requires a password. See the **Install Pentaho Data Integration and Analytics** document for instructions on defining a database connection. 4. Save, then close the transformation. 5. Use a text editor to open the transformation you just saved, then search for the name of the connection you created. 6. Examine the password. If the password is preceded by the letters *AES*, the encryption was applied correctly. 7. Close the transformation.
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.pentaho.com/pdia-admin/9.3-administer/secure-the-pentaho-system/user-security/advanced-security-providers/aes-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.