Starburst Secrets – Hiding Sensitive Presto Credentials

Last Updated: January 10, 2024

As Presto continues to rapidly become the SQL engine of choice powering the modern big data consumption layer, security is at the top of our list. Many organizations do not allow any type of sensitive information on servers in plain text. Examples include passwords, usernames, and other sensitive information. 

Presto’s configuration files may include sensitive information, such as passwords and usernames to your data sources. In many enterprise organizations, this violates security policies, so we created a method to encrypt this information using Starburst Secrets. Secrets allow administrators to separate configuration files from this sensitive data by storing them in a Java keystore file. This allows the configuration files to only contain encrypted values of these sensitive config entries.

Starburst Secrets Architecture Graphic

The process is very straightforward and the steps include:

  1. Generate a keystore file with an alias for your encrypted value.
  2. Create a configuration file to inform Presto where to find the keystore file.
  3. Modify your config file(s) replacing the sensitive value with your alias.


Ok, let’s get started. 


First, we generate our keystore file and give it an alias. In this example, I used “oracle_connection_password” for my alias:

keytool -genseckey -alias oracle_connection_password -keyalg PBE -keystore presto-keystore.pfx -storetype PKCS12


Tip Icon TIP – You can have multiple aliases in one keystore file. You can just repeat the command above using a different alias. e.g.   keytool -genseckey -alias snowflake_connection_password -keyalg PBE -keystore presto-keystore.pfx -storetype PKCS12


Second, create a file named configuration-source.properties in /etc/presto that indicates to Starburst Presto that we’ll be using a keystore file to store our sensitive information:


keystore.password=(the password you used when creating the keystore file above)


Third, modify my oracle.properties file that contains my Oracle password:

[root@ip-172-31-8-140 catalog]# cat oracle.properties







And that’s it! The secrets can be used in any of the Starburst Presto configuration files. We tried to make it as simple as possible to extract out sensitive information from configuration files.

Full documentation can be found here: https://docs.starburstdata.com/latest/security/secrets.html


If you have any questions, please feel free to reach out to us at hello@starburstdata.com


Start Free with
Starburst Galaxy

Up to $500 in usage credits included

  • Query your data lake fast with Starburst's best-in-class MPP SQL query engine
  • Get up and running in less than 5 minutes
  • Easily deploy clusters in AWS, Azure and Google Cloud
For more deployment options:
Download Starburst Enterprise

Please fill in all required fields and ensure you are using a valid email address.