Uploaded image for project: 'Jira Platform Cloud'
  1. Jira Platform Cloud
  2. JRACLOUD-31004

Encrypt Database Password in dbconfig.xml or use integrated authentication

XMLWordPrintable

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      Atlassian Update – 5 January 2016

      Hi everyone,

      Thanks for voting and commenting on this issue. While we understand the importance of this issue for our customers with strict password encryption requirements, we have not been able to prioritize development on this issue and it's not in our immediate plans.

      JIRA still needs access to the database – any code to encrypt the DB credentials or the JNDI datasource would have to reside within the application, therefore an attacker who has obtained system-level access to JIRA could still reverse-engineer the implementation and decrypt the password. Therefore you only have "security via obfuscation." Please see this comment on JRASERVER-27457 for more detail.

      That said, we do think this is a positive step and want to support you. We hope to implement a solution in the future.

      I understand that our decision may be disappointing. Please don't hesitate to contact me if you have any questions.

      Regards,
      Dave Meyer
      dmeyer@atlassian.com
      Product Manager, JIRA Platform

      JIRA should Encrypt the database password since it's in plain text in the dbconfig.xml file or it could use the integrated authentication with the databases such as MSSQL database.

              Unassigned Unassigned
              rgadami Rodrigo Girardi Adami
              Votes:
              79 Vote for this issue
              Watchers:
              79 Start watching this issue

                Created:
                Updated:
                Resolved: