When using Jaspyt to encrypt Spring property files, is the environment variable a really reliable place to store the master password?

Question

When using Jaspyt to encrypt Spring property files, is the environment variable a really reliable place to store the master password?

I am using Jaspyt and Spring 3 in my Java project. I am currently storing database connection properties in a properties file. The username and password are plain text, so I am considering using Jaspyt EncryptablePropertyPlaceholderConfigurer.

The documentation and textbooks suggest storing the master password used for decryption in an environment variable. Is it really safer than storing plain text values in a properties file? If someone compromises this field, will the main password not be visible in (1) environment variables or (2) when the script server starts? I suppose you could manually set the environment variable and disable it after starting the server, but the manual process of this seems uncontrollable.

Am I just paranoid? Is there an approach you used to protect your usernames and passwords?

+4

java spring configuration-files jasypt

user935265 Nov 28 '11 at 18:00

source share

1 answer

Oliver dornauf · Answer 1 · 2013-03-31T09:39:50+0000

Saving transparent text passwords is never a safe procedure. An attacker who takes over the server has access to all your passwords. If manual input is not an option (as usual), you can hide the password only for part of your command. If you do not want to disclose database passwords, use the JNDI database connection. This makes passwords visible only to application server administrators.

When using Jaspyt to encrypt Spring property files, is the environment variable a really reliable place to store the master password?

More articles: