Encrypt Database Password in Javaplay

92 views
Skip to first unread message

Amodth Jayawardena

unread,
Oct 7, 2015, 2:27:37 AM10/7/15
to play-framework
Hi,

I'm developing a Java Play application and I'm keeping the Database password in plain text inside the application.conf file.

db.default.url="jdbc:oracle:thin:@HOST:PORT/SID"
db.default.user=USER
db.default.pass=PW

Due to a security policy, I'm not allowed to store the password in plain text.

One solution is to add the password in another file and include it to the application.conf. Then place the file which contain the password in a restricted location. Even in this solution password is kept in plain text, which is not allowed.

I would like to know whether there is any mechanism to keep database password in an Encrypted form inside the application.conf file.

Thanks.

Igmar Palsenberg

unread,
Oct 7, 2015, 10:26:27 AM10/7/15
to play-framework
 
One solution is to add the password in another file and include it to the application.conf. Then place the file which contain the password in a restricted location. Even in this solution password is kept in plain text, which is not allowed.

I would like to know whether there is any mechanism to keep database password in an Encrypted form inside the application.conf file.

And where do you store that key to decrypt it ? You need it in plaintext at some point. Either use a HSM, or have the process starting the Play instance fetch is.

The security policy is pretty flawed if you ask me, you might want to revise that.


Regards,


Igmar

sachin walia

unread,
Oct 7, 2015, 1:12:27 PM10/7/15
to play-framework
The process even though is flawed would be a requirement from many enterprises especially if you are dealing with PCI compliance.

I have to create my own DB Plugin to use encrypted credentials.

As far as key/password is concerned it could be loaded from NFS mount with very restricted permission.

thanks,

Sachin Walia

Mike Mazur

unread,
Oct 7, 2015, 10:45:39 PM10/7/15
to play-fr...@googlegroups.com
Hi Amodth,

Can you set the password as an environment variable and read it in application.conf? Check out factor 3 of the Twelve-Factor App: http://12factor.net/

Your provisioning tool can set the password when it deploys your app. You may also want to look at Vault, a tool designed to manage this kind of stuff: https://vaultproject.io/

Mike


--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/723e9b71-e28c-4459-9f2a-ae1a71a5c8f5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages