java - Secure plain text passwords in configuration -
In web applications, you must store the password used to connect to a database. It is mostly in plain text configuration Is done in the file.
I am searching to make it more secure and have seen Jasypt (www.jasypt.org) which makes it possible to encrypt these passwords. But you still need the key to decrypt them, which only increases the problem, then I took this key into a system environment variable so that it is at least out of the application. But I still think that this really can not change a lot?
How do other people solve this problem?
Do not store production passwords in a config file within your source code.
This is an admin de facto code for any person. The environment variable set on the production server is a good way to go one. You can recover the app from that price, and can vary for different environments (Dev, Test, Live). This allows the system to know the password for example (developers have access to them without needing to know them).
Works very well in my experience.
Comments
Post a Comment