shapeblue
diff --git a/‎client/conf/db.properties.in‎
Lines changed: 1 addition & 0 deletions b/‎client/conf/db.properties.in‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎debian/rules‎
Lines changed: 1 addition & 0 deletions b/‎debian/rules‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎engine/schema/src/main/java/com/cloud/upgrade/DatabaseUpgradeChecker.java‎
Lines changed: 38 additions & 0 deletions b/‎engine/schema/src/main/java/com/cloud/upgrade/DatabaseUpgradeChecker.java‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade450to451.java‎
Lines changed: 1 addition & 2 deletions b/‎engine/schema/src/main/java/com/cloud/upgrade/dao/Upgrade450to451.java‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎engine/schema/src/main/resources/META-INF/db/schema-41720to41800.sql‎
Lines changed: 1 addition & 1 deletion b/‎engine/schema/src/main/resources/META-INF/db/schema-41720to41800.sql‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎framework/db/src/main/java/com/cloud/utils/crypt/DBEncryptionFinderCLI.java‎
Lines changed: 30 additions & 0 deletions b/‎framework/db/src/main/java/com/cloud/utils/crypt/DBEncryptionFinderCLI.java‎
Lines changed: 30 additions & 0 deletions
@@ -51,6 +51,7 @@ db.cloud.trustStorePassword=
 # Encryption Settings
 db.cloud.encryption.type=none
 db.cloud.encrypt.secret=
+db.cloud.encryptor.version=
 
 # usage database settings
 db.usage.username=@DBUSER@
 
@@ -135,6 +135,7 @@ override_dh_auto_install:
 	install -D systemvm/dist/* $(DESTDIR)/usr/share/$(PACKAGE)-common/vms/
 	# We need jasypt for cloud-install-sys-tmplt, so this is a nasty hack to get it into the right place
 	install -D agent/target/dependencies/jasypt-1.9.3.jar $(DESTDIR)/usr/share/$(PACKAGE)-common/lib
+	install -D utils/target/cloud-utils-$(VERSION).jar $(DESTDIR)/usr/share/$(PACKAGE)-common/lib/$(PACKAGE)-utils.jar
 
 	# cloudstack-python
 	mkdir -p $(DESTDIR)/usr/share/pyshared
 
@@ -23,6 +23,8 @@
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.util.Arrays;
 import java.util.Date;
@@ -109,6 +111,7 @@
 import com.cloud.upgrade.dao.VersionVO;
 import com.cloud.upgrade.dao.VersionVO.Step;
 import com.cloud.utils.component.SystemIntegrityChecker;
+import com.cloud.utils.crypt.DBEncryptionUtil;
 import com.cloud.utils.db.GlobalLock;
 import com.cloud.utils.db.ScriptRunner;
 import com.cloud.utils.db.TransactionLegacy;
@@ -369,6 +372,7 @@ public void check() {
             }
 
             try {
+                initializeDatabaseEncryptors();
 
                 final CloudStackVersion dbVersion = CloudStackVersion.parse(_dao.getCurrentVersion());
                 final String currentVersionValue = this.getClass().getPackage().getImplementationVersion();
@@ -403,6 +407,40 @@ public void check() {
         }
     }
 
+    private void initializeDatabaseEncryptors() {
+        TransactionLegacy txn = TransactionLegacy.open("initializeDatabaseEncryptors");
+        txn.start();
+        String errorMessage = "Unable to get the database connections";
+        try {
+            Connection conn = txn.getConnection();
+            errorMessage = "Unable to get the 'init' value from 'configuration' table in the 'cloud' database";
+            decryptInit(conn);
+            txn.commit();
+        } catch (CloudRuntimeException e) {
+            s_logger.error(e.getMessage());
+            errorMessage = String.format("Unable to initialize the database encryptors due to %s. " +
+                    "Please check if database encryption key and database encryptor version are correct.", errorMessage);
+            s_logger.error(errorMessage);
+            throw new CloudRuntimeException(errorMessage, e);
+        } catch (SQLException e) {
+            s_logger.error(errorMessage, e);
+            throw new CloudRuntimeException(errorMessage, e);
+        } finally {
+            txn.close();
+        }
+    }
+
+    private void decryptInit(Connection conn) throws SQLException {
+        String sql = "SELECT value from configuration WHERE name = 'init'";
+        try (PreparedStatement pstmt = conn.prepareStatement(sql);
+             ResultSet result = pstmt.executeQuery()) {
+            if (result.next()) {
+                String init = result.getString(1);
+                s_logger.info("init = " + DBEncryptionUtil.decrypt(init));
+            }
+        }
+    }
+
     @VisibleForTesting
     protected static final class NoopDbUpgrade implements DbUpgrade {
 
 
@@ -27,7 +27,6 @@
 import java.util.List;
 
 import org.apache.log4j.Logger;
-import org.jasypt.exceptions.EncryptionOperationNotPossibleException;
 
 import com.cloud.utils.crypt.DBEncryptionUtil;
 import com.cloud.utils.exception.CloudRuntimeException;
@@ -111,7 +110,7 @@ private void encryptIpSecPresharedKeysOfRemoteAccessVpn(Connection conn) {
                 String preSharedKey = resultSet.getString(2);
                 try {
                     preSharedKey = DBEncryptionUtil.decrypt(preSharedKey);
-                } catch (EncryptionOperationNotPossibleException ignored) {
+                } catch (CloudRuntimeException ignored) {
                     s_logger.debug("The ipsec_psk preshared key id=" + rowId + "in remote_access_vpn is not encrypted, encrypting it.");
                 }
                 try (PreparedStatement updateStatement = conn.prepareStatement("UPDATE `cloud`.`remote_access_vpn` SET ipsec_psk=? WHERE id=?");) {
 
@@ -214,7 +214,7 @@ BEGIN
 -- Add passphrase table
 CREATE TABLE IF NOT EXISTS `cloud`.`passphrase` (
     `id` bigint unsigned NOT NULL auto_increment,
-    `passphrase` varchar(64) DEFAULT NULL,
+    `passphrase` varchar(255) DEFAULT NULL,
     PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
 
@@ -0,0 +1,30 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+
+package com.cloud.utils.crypt;
+
+import java.util.Map;
+import java.util.Set;
+
+public class DBEncryptionFinderCLI {
+    public static void main(String[] args) {
+        Map<String, Set<String>> encryptedTableCols = EncryptionSecretKeyChanger.findEncryptedTableColumns();
+        encryptedTableCols.forEach((table, cols) -> System.out.printf("Table %s has encrypted columns %s%n", table, cols));
+    }
+}