Details
-
Suggestion
-
Resolution: Obsolete
-
None
Description
NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.
Hi everyone,
Thanks for voting and commenting on this issue. While we understand the importance of this issue for our customers with strict password encryption requirements, we have not been able to prioritize development on this issue and it's not in our immediate plans.
JIRA still needs access to the database – any code to encrypt the DB credentials or the JNDI datasource would have to reside within the application, therefore an attacker who has obtained system-level access to JIRA could still reverse-engineer the implementation and decrypt the password. Therefore you only have "security via obfuscation." Please see this comment on JRASERVER-27457 for more detail.
That said, we do think this is a positive step and want to support you. We hope to implement a solution in the future.
I understand that our decision may be disappointing. Please don't hesitate to contact me if you have any questions.
Regards,
Dave Meyer
dmeyer@atlassian.com
Product Manager, JIRA Platform
JIRA should Encrypt the database password since it's in plain text in the dbconfig.xml file or it could use the integrated authentication with the databases such as MSSQL database.
Attachments
Issue Links
- is related to
-
- Closed
- relates to
-
- Closed
-
- Closed
-
- Gathering Interest