How to Configure Encryption

Environment Variables

Password encryption requires the following environment variables to be set:

BAInsightSecurityEncriptionKey
- The value of this environment variable is used as key encryption algorithm.
- Example: RgUkXp2s5v8y/B?E(H+KbPeShVmYq3t6
BAInsightSecuritySaltKey
- The value of this environment variable is used as a salt key for the encryption algorithm.
- Note that BAInsightSecuritySaltKey value must be at least 8 characters.
- Example: TjWnZr4u7x!A%D*G-KaPdRgUkXp2s5v8

After changing BAInsightSecurityEncriptionKey and BAInsightSecuritySaltKey you'll need to perform an iisreset.

Note the following when configuring encryption for your SmartHub instance:

If you want to change your encryption and / or salt keys, first you must use the SmartHub Encryption Tool to decrypt the current configuration.
If you use more BA Insight products that uses this encryption mechanism, the same keys are used for all such products. If you don't know this information, please contact BA Insight Support Team.
If you install SmartHub in a multi-server environment, you need to set up the same environment variables on all the servers running SmartHub.
The priority of reading the values from the environment variables is User Environment Variables and then, if user variables are not set, the System Environment Variables are checked. If you want to have multiple user accounts running multiple BA Insight products that use this encryption mechanism, you can either set up the environment variables for each of the users, or set up the system environment variables. Note that System environment variables are accessible for all users and this may not align with your security policy.

SmartHub Encryption Tool

Note: For information about how to use the SmartHub Encryption tool to change encryption keys, see "How to Use the SmartHub Encryption Tool to Change the Encryption Keys," below.

SmartHub Encryption Tool uses two folders:

encryptedFilesFolder
- This folder contains the encrypted configuration files,
- The default value points to the SmartHub configuration directory: "../../Configuration"
decryptedFilesFilesFolder
- This folder contains the decrypted configuration files
- The default value points to the path "../../Configuration/Decrypted"

Using the SmartHub Encryption Tool

The SmartHub Encryption Tool can be found in <SmartHubRootFolder>\Tools\EncryptionTool. Run the tool via the file BAInsight.EncryptionTool.exe. The regular steps are "Decrypt" and then "Encrypt" as shown in the image above.

Decrypt
- When choosing the decrypt option, the configuration files from the encryptedFilesFolder will be decrypted and saved in the decryptedFilesFilesFolder
Encrypt
- When choosing the encrypt option, the configuration files from decryptedFilesFilesFolder will be encrypted and saved in the encryptedFilesFolder.

If you use the default values for the encryptedFilesFolder and the decryptedFilesFilesFolder, the initial files from the Configuration folder will be overridden with the newly encrypted files

How to Use the SmartHub Encryption Tool to Change the Encryption Keys

Make a backup of the Configuration folder.
Use the Encryption Tool to decrypt the configurations.
Update the environment variables: BAInsightSecurityEncriptionKey andBAInsightSecuritySaltKey
Otherwise, use the Encryption Tool to encrypt the files from the decryptedFilesFilesFolder.
1. If needed, manually copy the files from the encryptedFilesFolder in the Configuration folder.

Common Errors

The following errors indicate that the configurations have not been upgraded. See How to use the SmartHub Encryption Tool to change the encryption keys, above.

This error message usually indicates that the environment variables are configured, but the current configuration uses an obsolete encryption key.

This error message usually indicates that the environment variables are not configured, and the current configuration uses an obsolete encryption key.