Password in clear text in local.cfg
10 views
Skip to first unread message
Josefin Wahlström
Feb 16, 2026, 11:23:32 AM (2 days ago) Feb 16
to dspac...@googlegroups.com
Hello,
We’re currently looking at the security of DSpace and noticed that the database password is supposed to be stored in clear text in local.cfg.
I’m wondering what the motivation for this is, and if anyone has an alternative solution to saving the password in clear text?
Best Regards,
Josefin Wahlström
Sveriges lantbruksuniversitet
---
När du skickar e-post till SLU så innebär detta att SLU behandlar dina personuppgifter. För att läsa mer om hur detta går till, klicka
här
E-mailing SLU will result in SLU processing your personal data. For more information on how this is done, click
here
DSpace Technical Support
Feb 16, 2026, 12:03:33 PM (2 days ago) Feb 16
to DSpace Technical Support
Hi Josefin,
Tim
While you are correct that DSpace will store these settings in a plain text configuration file by default, this is *not required* for Production scenarios.
In Production, sites may choose to instead specify these same settings via Environment Variables or System properties.
For details on using environment variables see our documentation for Reloading/Overriding Configurations: https://wiki.lyrasis.org/display/DSDOC9x/Configuration+Reference#ConfigurationReference-ConfigurationSchemeforReloadingandOverriding
For details on using environment variables see our documentation for Reloading/Overriding Configurations: https://wiki.lyrasis.org/display/DSDOC9x/Configuration+Reference#ConfigurationReference-ConfigurationSchemeforReloadingandOverriding
So, institutions can decide which approach they wish to use. Obviously, if you store the password in plain text, then you would need to ensure that file is secured as much as possible. This is why many institutions choose to use Environment Variables for configurations which they wish to keep more secure.
Hopefully that helps explains the options better.
Tim
mw...@iu.edu
Feb 16, 2026, 1:38:54 PM (2 days ago) Feb 16
to dspac...@googlegroups.com
On Mon, Feb 16, 2026 at 04:00:15PM +0000, Josefin Wahlström wrote:
> We’re currently looking at the security of DSpace and noticed that the database password is supposed to be stored in clear text in local.cfg.
>
> I’m wondering what the motivation for this is, and if anyone has an alternative solution to saving the password in clear text?
Any approach that does not require manual intervention to supply key
> We’re currently looking at the security of DSpace and noticed that the database password is supposed to be stored in clear text in local.cfg.
>
> I’m wondering what the motivation for this is, and if anyone has an alternative solution to saving the password in clear text?
material is plaintext-equivalent. If the system can start itself
unassisted, then somewhere in the system there is at least one
plaintext secret, and thus anyone with unrestricted read access to the
filesystem can eventually decrypt any encrypted secrets.
What's your threat model? Is it feasible in your application to have
a human operator standing by to unlock the system?
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
library.indianapolis.iu.edu
ORCiD: 0000-0002-9558-3768
mw...@iu.edu
Feb 16, 2026, 1:51:33 PM (2 days ago) Feb 16
to dspac...@googlegroups.com
On Mon, Feb 16, 2026 at 05:03:33PM +0000, DSpace Technical Support wrote:
> Hi Josefin,
>
> While you are correct that DSpace will store these settings in a plain text configuration file by default, this is *not required* for Production scenarios.
>
> In Production, sites may choose to instead specify these same settings via Environment Variables or System properties.
>
> For details on using environment variables see our documentation for Reloading/Overriding Configurations: https://wiki.lyrasis.org/display/DSDOC9x/Configuration+Reference#ConfigurationReference-ConfigurationSchemeforReloadingandOverriding
>
> So, institutions can decide which approach they wish to use. Obviously, if you store the password in plain text, then you would need to ensure that file is secured as much as possible. This is why many institutions choose to use Environment Variables for configurations which they wish to keep more secure.
Please note that this simply moves the problem elsewhere. Now you
> Hi Josefin,
>
> While you are correct that DSpace will store these settings in a plain text configuration file by default, this is *not required* for Production scenarios.
>
> In Production, sites may choose to instead specify these same settings via Environment Variables or System properties.
>
> For details on using environment variables see our documentation for Reloading/Overriding Configurations: https://wiki.lyrasis.org/display/DSDOC9x/Configuration+Reference#ConfigurationReference-ConfigurationSchemeforReloadingandOverriding
>
> So, institutions can decide which approach they wish to use. Obviously, if you store the password in plain text, then you would need to ensure that file is secured as much as possible. This is why many institutions choose to use Environment Variables for configurations which they wish to keep more secure.
need to secure the source of the values for those environment variables.
You can also have the Servlet container construct a connection pool
and inject it into DSpace through JNDI, but now your plaintext
database password is in the container's configuration.
We can make the bad guys work a little harder but we can't stop a
determined one without human judgment to break the path to the goodies.
> Hopefully that helps explains the options better.
>
> Tim
>
> On Monday, February 16, 2026 at 10:23:32 AM UTC-6 Josefin Wahlström wrote:
> Hello,
>
> We’re currently looking at the security of DSpace and noticed that the database password is supposed to be stored in clear text in local.cfg.
>
> I’m wondering what the motivation for this is, and if anyone has an alternative solution to saving the password in clear text?
>
> Best Regards,
>
> Josefin Wahlström
> Sveriges lantbruksuniversitet
>
>
> ---
> När du skickar e-post till SLU så innebär detta att SLU behandlar dina personuppgifter. För att läsa mer om hur detta går till, klicka här <https://www.slu.se/om-slu/kontakta-slu/personuppgifter/>
>
> We’re currently looking at the security of DSpace and noticed that the database password is supposed to be stored in clear text in local.cfg.
>
> I’m wondering what the motivation for this is, and if anyone has an alternative solution to saving the password in clear text?
>
> Best Regards,
>
> Josefin Wahlström
> Sveriges lantbruksuniversitet
>
>
> ---
> E-mailing SLU will result in SLU processing your personal data. For more information on how this is done, click here <https://www.slu.se/en/about-slu/contact-slu/personal-data/>
>
> --
> All messages to this mailing list should adhere to the Code of Conduct: https://lyrasis.org/code-of-conduct/
> ---
> You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com<mailto:dspace-tech...@googlegroups.com>.
> To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/f834fcbc-0988-4ad4-8589-780259058078n%40googlegroups.com<https://groups.google.com/d/msgid/dspace-tech/f834fcbc-0988-4ad4-8589-780259058078n%40googlegroups.com?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages