# Credentials Management

## Overview

Starting with MariaDB ColumnStore 6.2.3, ColumnStore supports encryption for user passwords stored in ColumnStore.xml:

* Encryption keys are created with the `cskeys` utility
* Passwords are encrypted using the `cspasswd` utility

## Compatibility

* MariaDB ColumnStore 6
* MariaDB ColumnStore 22.08
* MariaDB ColumnStore 23.02

## Encryption Keys

MariaDB ColumnStore stores its password encryption keys in the plain-text file `/var/lib/columnstore/.secrets`.

The encryption keys are not created by default, but can be generated by executing the `cskeys` utility:

```sql
$ cskeys
```

In a multi-node Enterprise ColumnStore cluster, every ColumnStore node should have the same encryption keys. Therefore, it is recommended to execute cskeys on the primary server and then copy `/var/lib/columnstore/.secret`s to every other ColumnStore node and fix the file's permissions:

```sql
$ scp 192.0.2.1:/var/lib/columnstore/.secrets /var/lib/columnstore/.secrets
$ sudo chown mysql:mysql /var/lib/columnstore/.secrets
$ sudo chmod 0400 /var/lib/columnstore/.secrets
```

## Encrypt a Password

To encrypt a password:

Generate an encrypted password using the cspasswd utility:

```sql
$ cspasswd util_user_passwd
```

* If the `--interactive` command-line option is specified, cspasswd prompts for the password.

Set the encrypted password in `ColumnStore.xml` using the `mcsSetConfig` utility:

```sql
$ sudo mcsSetConfig CrossEngineSupport Password util_user_encrypted_passwd
```

## Decrypt a Password

To decrypt a password, execute the cspasswd utility and specify the --decrypt command-line option:

```sql
$ cspasswd --decrypt util_user_encrypted_passwd
```

<sub>*This page is: Copyright © 2025 MariaDB. All rights reserved.*</sub>

{% @marketo/form formId="4316" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mariadb.com/docs/analytics/mariadb-columnstore/security/enterprise-columnstore-credentials-management.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.