Encrypting/Hashing clear text passwords in Java Bean

[Cantor, Scott]

On 1/25/21, 12:20 PM, "users on behalf of Kim, Allan via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:

>    How would we go about replacing the clear text version with a hashed or encrypted string? Thanks!

Hashing it can't work, that's not reversible. Encrypting it is pointless because the decryption password would be in the same place.

The best improvement you can make is to abandon unattended restart as a feature and putting it on an encrypted volume that's unmounted at startup and during backups and only unlocked to start the service. Of course you could put the decryption password there too but that serves no purpose when you can just put the property itself there.

Or of course using a secrets manager or vault, but that just moves the problem to the credential used to access the vault, so I don't see them as moving the ball either.

-- Scott