Encryption LDAP managerPassword in configuration file


I’m doing the last configuration adjustments and I’ve noticed that the managerPassword and other configuration passwords are in plain text. Is there any way to encrypt those passwords?


Lets imagine I do encrypt it, then I need an encryption key in the clear in order to decrypt it. Ok, lets put the encryption key in a vault to protect it, but then I need a password in the clear to access the vault, to get the key to decrypt the password to access the LDAP account…and so it goes on. Hence this just shifts the problem, it does not address the problem.

Note there are more commoditised ways to do this these days, eg AWS IAM + Shared Secrets Service etc

The real question is, what is the attack vector you need to protect against? Hence lets go back to basics. If you restrict access to the server, then even though the password is in the clear, only those with access can disclose it. Thus restrict access to the server should be the real focus…

Past techniques included use run-as system accounts which dont’ have console access. Put the config in a folder which can only be accessed by this system account. Hence only admins have access via root and they must sudo to access the folder and thus there is strong audit trail etc…




I was reading some articles and with this:

java -cp modules\system\layers\base\org\picketbox\main\picketbox-5.0.2.Final.jar org.picketbox.datasource.security.SecureIdentityLoginModulePassword Password

And reading this

I had an interesting solution.

I was thinking and I think your anwers it’s the correct :slight_smile:

1 Like