Typesafe config: encryption/obfuscation of sensitive values in memory

Question

I have an Akka project that needs several passwords to work: to access a datastore, a distributed filesystem connection string...

Those values are not hardcoded in the configuration file, but rather pulled from a key vault at run time during app startup and then stored in memory in a typesafe config object as the thirdparty are using this configuration to get the password and open the connections.

I am just wondering if somehow this is risky, as I am guessing the strings would be in clear in memory. Is there a way to transparently obfuscate/encrypt the values ? Or do I need to implement it on my side, and update the thirdparties so that they transform the string before actually opening the connections.

score 6 · Answer 1 · answered Mar 31 '17 at 12:57

6

In my opinion that is, in almost every application, a security risk you should not be concerned of. Since Scala runs on the JVM please refer to: Sensitive Data In Memory.

answered Mar 31 '17 at 12:57

Federico Pellegatta

3,977
1
17
29

Well, unfortunately my colleagues do not share this point of view :). I read in several places that in Java it is safer to use array of bytes instead of Strings but here I rely on Typesafe config objects to hold the data :-(. – CanardMoussant Mar 31 '17 at 13:41
Can you give some links to those "several places"? – Chrs Mar 31 '17 at 15:07
http://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords – Federico Pellegatta Mar 31 '17 at 15:37

score 0 · Answer 2 · answered Apr 06 '17 at 09:25

0

You can try to use sun.misc.Unsafe to clear memory right after password was used:

    String password = new String("l00k@myHor$e");
String fake = new String(password.replaceAll(".", "?"));
System.out.println(password); // l00k@myHor$e
System.out.println(fake); // ????????????

getUnsafe().copyMemory(
          fake, 0L, null, toAddress(password), sizeOf(password));

System.out.println(password); // ????????????
System.out.println(fake); // ????????????

or via reflection:

Field stringValue = String.class.getDeclaredField("value");
stringValue.setAccessible(true);
char[] mem = (char[]) stringValue.get(password);
for (int i=0; i < mem.length; i++) {
  mem[i] = '?';
}

http://mishadoff.com/blog/java-magic-part-4-sun-dot-misc-dot-unsafe/

answered Apr 06 '17 at 09:25

Alex Chernyshev

1,719
9
11

My problem is that the password are read in a 3rd party from the configuration file, so I cannot really override the password in memory after its usage. – CanardMoussant Apr 06 '17 at 12:54
sure you can, after full application start, for example. – Alex Chernyshev Apr 06 '17 at 12:59
Well the password can be needed later on if a reconnection has to be done for instance. – CanardMoussant Apr 06 '17 at 13:08
depends on implementation, could be a session authentication, based on session keys and so on. Something like that https://www.vaultproject.io/docs/secrets/mysql/ – Alex Chernyshev Apr 06 '17 at 13:18

Typesafe config: encryption/obfuscation of sensitive values in memory

2 Answers2