Encrypting/Hashing clear text passwords in Java Bean

Ullfig, Roberto Alfredo rullfig at uic.edu
Mon Jan 25 19:50:56 UTC 2021 

It does serve a purpose. A configuration file like global.xml is stored in git. Moving the credentials to a password vault would be a better solution but I don't see how I can access a password vault from this bean code. We have code written in perl that accesses credentials from a password vault so that the scripts stored in git don't have clear-text credentials.

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Monday, January 25, 2021 11:34 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Encrypting/Hashing clear text passwords in Java Bean

On 1/25/21, 12:20 PM, "users on behalf of Kim, Allan via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:

>    How would we go about replacing the clear text version with a hashed or encrypted string? Thanks!

Hashing it can't work, that's not reversible. Encrypting it is pointless because the decryption password would be in the same place.

The best improvement you can make is to abandon unattended restart as a feature and putting it on an encrypted volume that's unmounted at startup and during backups and only unlocked to start the service. Of course you could put the decryption password there too but that serves no purpose when you can just put the property itself there.

Or of course using a secrets manager or vault, but that just moves the problem to the credential used to access the vault, so I don't see them as moving the ball either.

-- Scott


--
For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=04%7C01%7Crullfig%40uic.edu%7Cd5079493e0d443cbbc8908d8c157a5b1%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637471929481633026%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=NFb1vtrVrs0hf0TcLqiO25vNvvXX3epTULZN8J0qnp8%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210125/422cad74/attachment.htm>

More information about the users mailing list