-
Suggestion
-
Resolution: Unresolved
-
None
-
5
-
7
-
NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion.
Passwords are not encrypted in confluence-mail.cfg.xml nor in confluence.cfg.xml; they should be.
Resolve an encryption scheme for anything requiring security stored on the file system.
- is related to
-
CONFSERVER-2146 Encrypt all passwords stored on the file system
- Closed
-
CONFSERVER-57946 Encrypt all passwords stored on the file system
- Closed
-
JRACLOUD-31004 Encrypt Database Password in dbconfig.xml or use integrated authentication
- Closed
- relates to
-
ID-8978 Advanced password management
- Gathering Interest
Many apps store an encrypted password in a config file. If you're worried about the ability to update the password in the event that the encrypted password is wrong, either ensure there's a separate utility available to update it and/or allow the user to enter a plaintext password temporarily in the file to get the server to start (that will later be encrypted).
There are of course many other options, but at a minimum get rid of the PlainText-By-Default approach currently in use quickly - and implement fancier options in future releases. It is difficult to understand how this has been open for 12+ years!