Password Encryption

  • Updated on Aug 14, 2025
  • Published on Mar 18, 2024
Prev Next

This information is applicable to 2023.2 and earlier release versions. See related reading:

Legacy Encryption

For legacy-based $ENC encryption, use the following steps to run the encryption script and generate a password value.

  1. Navigate to the pronghorn-core node modules directory.

    cd /opt/pronghorn/current/node_modules/@itential/pronghorn-core

  2. Run the following command where mypassword is the password value that requires encryption.

    $ npm run encrypt mypassword
Encrypted Password:
$ENC8ef3972b5766e64a98df4b11d6d3221d82812e8caed3459e5a0d

  3. Use the encrypted password value, beginning with $ENC, instead of the plain-text values that are inserted in the properties.json file.

$SECRET Encryption

The $ENC encryption used within service configs, profiles, and the properties.json is now deprecated. The replacement is $SECRET_ followed by the path and the key used in Hashicorp Vault for encryption and decryption. Support for $ENC will be removed in a future release, and any remaining $ENC values will no longer function after its removal.

For more detail, see Manual Property Encryption for Profiles.

Encrypting Passwords in the Properties JSON

The properties.json file will likely contain passwords. As a best practice, use the rule of least privilege any time this file is managed.

  1. Set the file system permissions to user-read.

    chmod 0600 /opt/pronghorn/current/properties.json

  2. Change to the following directory.

    /opt/pronghorn/current/node_modules/@itential/pronghorn-core/utils

  3. Use the Itential Platform encrypt tool to encrypt sensitive passwords before saving them in the properties.json file.

    $ node encrypt.js password
Encrypted Password: $ENC93eb9439537ae34196db49409dd0261a8b87218fafd0419

    Note: The encrypt.js tool will respond with a string that starts with $ENC. Use this string when configuring passwords in the properties.json file.

  4. Store the entire string below in the properties.json file without exposing the password.

    "mongoProps": {
    "db": "pronghorn",
    "url": "mongodb://localhost:27017",
    "credentials": {
        "dbAuth": true,
        "user": "pronghorn",
        "passwd": "$ENC82ee8a234a69f15bdb8e05409cda2418878b2f85af"
    }
}

  5. Alternatively, use the HashiCorp Vault Encryption feature or CyberArk Central Credential Provider.