Encrypting OPC Connection Data
On-premise client (OPC) encryption secures sensitive connection metadata—such as application keys and proxy passwords—stored within your installation package. By generating a dedicated encryption key, you ensure that these credentials are encrypted using the AES-256 GCM standard, preventing unauthorized access to plain-text configuration files.
This configuration is typically performed during the initial installation of the OPC on Windows, Linux, or Mac. While the Celonis Platform functions without manual key generation, we strongly recommend this step for all production environments to meet enterprise security and compliance requirements. By default, the system saves the encryption key (celonis-kms.yml) in the shared folder, though you can specify a custom secure location during the process.
Before configuring your OPC connection:
Main Installation: Ensure you have already followed the initial setup steps for Windows, Linux, or MacOS.
Installation Package: You must have the on-premise client installation package downloaded and extracted on your machine.
System Permissions: You must have Administrator privileges (Windows) or Root/Sudo access (Linux/macOS) on the host machine to execute configuration commands.
To encrypt your OPC connection data:
Choose your storage location: Decide if you will use the default shared folder or a custom secure directory for your encryption key.
Generate the encryption key: Run the key generation command as part of your specific OS installation.
Verify file creation: Ensure the
celonis-kms.ymlfile is generated in your chosen directory.Confirm encryption: Check that sensitive fields (application keys, proxy passwords) are no longer stored in plain text.