StreamBase — enciphers text or generates cipher keys for use in StreamBase configuration files


sbcipher [[-Jjvm-option]] {[-k pathToPrivateKeyFile]} {[-p] || [-c "clear text to encipher"]}

sbcipher [[-Jjvm-option]] {[-h] || [-v]}

sbcipher [[-Jjvm-option]] {-g pathToKeyFiles} {-s KeySize}


DEPRECATED. The sbcipher command is deprecated and is expected to be removed in a future release.

The sbcipher commad was formerly used to encipher passwords, URIs that contain passwords, and other parameter text values in HOCON configuration files. In StreamBase 10.3.0 and later, passwords and other string values enciphered with this command are still recognized and deciphered. Going forward, however, use the epadmin encrypt secret and master secret features of the security model introduced in 10.3.0 and described in Encrypting Sensitive Configuration Data.

Although deprecated, the sbcipher command remains available. The following description of its features and options remains in place for those who may have built scripted systems that use the command.

In StreamBase Studio, open a StreamBase command prompt and issue the sbcipher command. Copy the terminal output and paste it in the relevant element of a configuration file.

A common key pair is embedded in clear text in the sbcipher command and in StreamBase Server. By default, sbcipher -c and sbcipher -p use the private key of that embedded common key pair. Specify -k with -c to designate a separate private key generated in advance with -g.

sbcipher -g can be optionally used to create unique client-server key pairs that can be subsequently used by the sbcipher command and supplied to StreamBase Server by means of the Java property.


-c "clear text to encipher", --cipher "clear text to encipher"

Enciphers the argument, and prints the results on stdout. To prevent the input text from being recorded in the session history, use -p instead of -c.

-p , --prompt

Prompts for plain text to encipher and prints the results on stdout. A more secure alternative to -c. Do not enter text as a command argument. You can also pipe the plain text from stdin.

-g pathToKeyFiles, --generate pathToKeyFiles

Generates a client-server key pair and writes the files to the path specified, using the basename of the last element of the path as the basename of the keys. The client key is generated with the name basename.sbcipher, while the server key is generated as basename.server.

-h, --help

Displays usage information, then exits.


Specifies a system property setting or other JVM argument to be passed to the JVM running the enciphering process. Use this option to specify temporary settings that affect only the current invocation of sbcipher. You must specify multiple -J options to specify multiple JVM arguments.

There must be no space after the -J. For example, specify -J-Xmx2G. Use the full option syntax for jvm-option that you would use at the Java command line, including the initial hyphen. For example, specify -J-Dstreambase.log-level=2 to increase the log level for this invocation of sbcipher.

Your jvm-option argument might require surrounding quotes, depending on the characters it contains and the shell you are using. However, do not use quotes to escape the spaces between separate JVM arguments; instead use separate -J options. For example: -J-Xms512M -J-Xmx2G

-k pathToPrivateKeyFile, --key pathToPrivateKeyFile

Specify a basename.server file generated with -g as the private key to use when enciphering a string with -c.

-s KeySize, --size KeySize

Specifies the desired bit size for the keys generated with -g. Valid values for KeySize are 512, 1024, 2048, and 4096.

-v, --version

Displays the version of the command.