Jedox integrated encryption

You can encrypt databases using hash algorithms. Plain text information will no longer be stored if a server installation is encrypted. An encrypted database cannot be decrypted at any time later.

You can turn on the integrated encryption in the palo.ini(see palo.ini.sample).

Windows encryption of database files

In addition to the steps described in Admin User Accounts under “Jedox Administrator account”, one could also add an additional step between steps 6 and 7. This step takes place at this point because the rights for the Jedox administrator will be reduced later in the process. In this step we turn on EFS encryption on data directory (EFS = Encrypting File System). (

Note: if the users are managed over Active Directory, AD, then a certificate must be stored on the AD server.  This has nothing to do with the key – the key will be generated upon activation of the encryption. If the keys cannot be managed by the AD server, a special certificate server is needed.

In Windows Explorer, select the C:\Jedox directory. Right-click and choose Properties from the context menu. Click the  Advanced… button and turn on “Encrypt contents to secure data”:

After clicking OK, all files in C:\Jedox\data are encrypted, particularly the file database_CUBE_0.csv of the System database with the users and passwords.

You can grant access to more users on specific files (e.g. palo.ini and palo.ini.sample) by adding them to the list of users who have transparent access to those files.

For more information on EFS, please consult:


After this step continue with step 7 of “Special Jedox administrator account“, described in the article Admin User Accounts. When all steps are done, the content of the directory C:\Jedox will only be accessible to the palorunner user and the administrator (Note: on Windows 2008 Server, only to the palorunner user).

Other encryption of user data

Jedox Integrator (ETL) can store links to databases in the Jedox Integrator scripts. Here the passwords are encrypted using PBKDF2, and are thus protected from abuse. The algorithm allows for more than 4000 iterations and random salt for each password.

Note: Passwords stored in older versions of Jedox must be changed once to use the PBKDF2 algorithm.

Jedox Integrator encrypts the password immediately after you enter it into the box. The box represents the password as *. Thus, a password is never stored without encryption. The transfer of the password is also performed in encrypted form.

On request, user information of the Jedox client (e.g. Excel) can be stored locally for an automatic login. This username and password are stored in the Windows system registry. The user password is stored encrypted.

Encryption of Jedox Integrator (ETL) process definitions

The Jedox Integrator projects are persisted in the OLAP Server, not in repository.xml. To encrypt, you might use standard OLAP features on Config-DB Encryption (see the points above in this article).