Can the encryption of values in PwmConfiguration.xml be disabled?

[adam.g...@magicmemories.com]

A lot of values in PwmConfiguration.xml are stored encrypted, but, the encryption key and other related information need to decrypt those values is _also_ stored in PwmConfiguration.xml (otherwise the software wouldn't be able to decrypt them to use them). That's not actually any more secure than just storing them in cleartext to begin with; it's just less convenient.

PwmConfiguration.xml is a sensitive file storing sensitive information and needs to be treated as such; storing encrypted rather than cleartext password values within it doesn't actually add anything from a security perspective.

I wouldn't really care, except that this 'feature' interferes with the operation of some Configuration Management tools. Many CM tools don't just need to be able to set configuration values, they needs to be able to check whether the configuration currently in place matches what the tool expects it to be. Right now, the only way for Puppet or Chef to know if the current (for example) ldap.proxy.password value is correct is to re-implement the encryption scheme in Ruby, which seems like wasted effort if encrypting the values in the configuration file doesn't actually accomplish anything.

TL;DR: I know that it's possible to write cleartext values to PwmConfiguration.xml and PWM will accept them and use them; but whenever it writes the configuration file back out again, it will replace the cleartext with an encrypted copy of the value. Is there any way to prevent that step? Otherwise, when Puppet runs it'll write out a clear-text password again and restart PWM, which will then write-out an encrypted password, and 30 minutes later the process will repeat.

Thanks,
- Adam