May 21, 2013

How to Encrypt Password in JBoss 7 and EAP 6

When using a background process to connect to a server that requires some login, you have the problem to store that password securily. And the problem is that is a background process, that do have a user interaction, which supply the login credential. So the background process needs be given the login credential beforehand. Which rises the problem of storing the password not in clear text.

So how do we achieve that with JBoss 7 and EAP 6? The shipped solution is JBoss Vault. Here follows a link of using it - A note of the example, that you might want to consider:
  • The key length of 1024 bytes is quite weak, consider using a longer key. 
  • You probably want to increase the default validity period, with the -validity flag.
 The next question that arise is how safe is this? And Red Hat answer that on the same page.

"The default implementation of the vault utlizes a Java KeyStore. Its configuration uses Password Based Encryption, which is security by obscurity.  This is not 100% security. It only gets away from the problem of clear text passwords in configuration files.  There is always a weak link. (As mentallurg suggests in the comments, the keystore password is the weakest link)."
"Ideally, 3rd party ISV robust implementations of Vaults should provide the necessary security."


And maybe the most obvious question is how to make it stronger. And Red Hat answer that also on the same page. Store the keystore on an external USB device which you mount on bootup and then remove it. Or use a stronger third party solution.

No comments: