4

I'm using Jaspyt and Spring 3 in my Java project. I currently store the database connection properties in a properties file. The user name and password are plain text, so I've been looking at using Jaspyt's EncryptablePropertyPlaceholderConfigurer.

The documentation and tutorials suggest storing the master password used for decryption in an environment variable. Is that really any more secure than storing plain text values in the properties file? If someone compromises the box, wouldn't the master password be either visible in (1) the environment variables or (2) the server start-up script? I suppose you could manually set the environment variable and unset it after server start-up, but the manual process of that seems unmanageable.

Am I just being paranoid? Is there an approach that you've used to secure your connection user names and passwords?

user935265
  • 254
  • 1
  • 2
  • 10
  • 1
    Jasypt recommends using [Web PBE Configuration](http://www.jasypt.org/webconfiguration.html) to get around exactly this problem. But as they say in the [Advanced Configuration](http://www.jasypt.org/advancedconfiguration.html) section, you'd have to reset the password each time you redeploy the application in a web console. – rzrelyea Apr 29 '13 at 16:06

1 Answers1

1

Storeing clear text passwords is never a safe procedure. An attacker who takes over the server has access to your passwords in all cases. If manual entry is not an option (as usual) you can only hide the password only for a part of your team. If you not want to disclose the database passwords, use a JNDI database connection. This makes the passwords only visible to the application server administrators.

oliver.d
  • 21
  • 2