0

I examine Jasypt for storing database encrypted passwords in property files. It has good integration with Spring etc., but approach of that this guys propose for encrypting password looks a bit weird as for me:

  1. Use PBE (symmetric algorithm) encryption.

  2. Store password for encryption/decryption in environment variable or in source code.

Both options look unsafe and a bit insecure.

My questions:

  1. What is the best practice for storing encrypted passwords?
  2. Can I use key based encryption (i.e. private/public keys) here?
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
FoxyBOA
  • 5,788
  • 8
  • 48
  • 82
  • http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords salt+hash+use recognised algorithms. – assylias Jul 23 '16 at 10:20
  • @assylias How password hashing will help with jdbc password? AFAIK I'll need unencrypted password for jdbc driver. The same situation could be with 3d party services where you have to authenticate by username/password. – FoxyBOA Jul 23 '16 at 11:09
  • I misunderstood your question. – assylias Jul 23 '16 at 15:57

1 Answers1

2

In our application we use two approaches:

  1. We use a enterprise password vault which stores the passwords for all our databases. Our web sever requests the password from the vault to connect the database every time.

  2. We store Encrypted passwords in properties file. And during the application startup we read the properties file using class loader and keep it as a system variable and use it whenever needed.

It is difficult to have public/private key encryption directly with db, you would need an intermediary to do this.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
Sanket Desai
  • 36
  • 1
  • 1
    Hi Sanket. When you say "our application" does that mean that you have a specific role wrt Jasypt or Spring? Could you disclose that role? – Maarten Bodewes Jul 23 '16 at 08:36