Obfuscate play.server.https.keyStore.password

[federic...@visionaris.com.ar]

Hi. I need to obfuscate the keystore password in the file application.conf. That password is in the property play.server.https.keyStore.password. I could also store the obfuscated password in other property. How could I set the keyStore password from within the code and before Play tries to read it from the configuration file?.

Thanks!

[Justin du coeur]

What are you actually trying to accomplish here?  Most forms of "obfuscation" don't really help with security, but there are several techniques for not putting passwords into a checked-in config file, if that's the problem.  (Eg: putting it into an environment variable, or in a separate, imported, not-checked-in config file.)

On Fri, Nov 3, 2017 at 3:46 PM, <federic...@visionaris.com.ar> wrote:

Hi. I need to obfuscate the keystore password in the file application.conf. That password is in the property play.server.https.keyStore.password. I could also store the obfuscated password in other property. How could I set the keyStore password from within the code and before Play tries to read it from the configuration file?.

Thanks!

--
You received this message because you are subscribed to the Google Groups "Play Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framework+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/ade04d20-0039-46e3-a3be-41e8ee38f86e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Federico Milano]

Hi. This is for complying with a legal requirement of no passwords in clear text in config files. I can save the password in a Mongo dB database I use for application data, but the issue is where can I hook the initialization so I can inject the password.

Thanks!

[Tim Moore]

The best practice is to use an environment variable to inject the secret configuration in from the outside. Then it becomes an operations concern of how to set that environment variable when running in production (there are many approaches for this with varying security tradeoffs... maybe your security or ops team already has a preferred approach).

https://www.playframework.com/documentation/2.6.x/ProductionConfiguration#Using-environment-variables describes how you can reference environment variables in your configuration file, with optional fallback to a default value.

The configuration is read very early in the bootstrap process, so it's much easier to change it from the outside than from code running inside your application.

Cheers,

Tim

On Mon, Nov 6, 2017 at 10:01 AM, Federico Milano <fmi...@gmail.com> wrote:

Hi. This is for complying with a legal requirement of no passwords in clear text in config files. I can save the password in a Mongo dB database I use for application data, but the issue is where can I hook the initialization so I can inject the password.

Thanks!

--
You received this message because you are subscribed to the Google Groups "Play Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framework+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/57a3b80d-bbc4-4e13-98e9-32f5101f1b25%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Tim Moore

Senior Engineer, Lagom, Lightbend, Inc.

tim....@lightbend.com
+61 420 981 589
Skype: timothy.m.moore

[Federico Milano]

Dear Tim, thank you for the information. Sadly my client has rejected this approach. Is there any way for me to provide the SSL keystore password information from within the application during startup?

Thank you

Federico

--
You received this message because you are subscribed to a topic in the Google Groups "Play Framework" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/play-framework/ftSk8wWoHnM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to play-framework+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/CAApsmOQU7E2KyV_VG-%2BXL%2BKwRk22o_od9j5f%2BAJRs-w%3DjcP_iA%40mail.gmail.com.