Encryption of DB password in the configuration file


As a security policy we are not putting any password in clear in the configuration file. The standard way to approach this is to put the password encrypted in the conf file.

Does Camunda have support to call a service/API to decrypt the password before initiating the DB connection? How does Camunda address this security concern?



this thread may be of interest…

In practice, Im a bigger fan of access control. For example with Tomcat on linux, leave the password in the clear, create a tomcat user and ensure only tomcat can read tomcat folders. Then disable console access. Hence an admin must authenticate and use sudo to access the file etc…



1 Like

Hi @sorin.maier,

there is not explicit facility for that. It will depend on your application server \ web container. Camunda retrieves database connection based on jdbc data source, how you configure this datasource is totally up to you. For example here is how tomcat project see the issue https://wiki.apache.org/tomcat/FAQ/Password on the contrary JBoss provide following options https://docs.jboss.org/jbosssecurity/docs/6.0/security_guide/html/Encrypting_Data_Source_Passwords.html.

Does that help you?


Hi Askar,

thanks for your reply. We’ll use the container provided method to solve this issue.

Even if you use the container approach in Tomcat, you can override the Datasource Factory to use encrypted passwords.
To do this, create a custom Datasource Factory and reference this in your app context,xml:

The datasource creation factory should extend org.apache.commons.dbcp.BasicDataSourceFactory and overwrite the getObjectInstance() method.
Also notice that the Resource declaration includes a passwordDecryptorClass which names the class used to decrypt the database password. This allows the decryptor implementation to be changed by Kronos without any need to touch the datasource factory class.

Hope this helps,

1 Like