I am using Jaspyt and Spring 3 in my Java project. I am currently storing database connection properties in a properties file. The username and password are plain text, so I am considering using Jaspyt EncryptablePropertyPlaceholderConfigurer.
The documentation and textbooks suggest storing the master password used for decryption in an environment variable. Is it really safer than storing plain text values ββin a properties file? If someone compromises this field, will the main password not be visible in (1) environment variables or (2) when the script server starts? I suppose you could manually set the environment variable and disable it after starting the server, but the manual process of this seems uncontrollable.
Am I just paranoid? Is there an approach you used to protect your usernames and passwords?
source share