Encrypting of "sonar.jdbc.password" on startup

betterco...@gmail.com

unread,

Nov 30, 2017, 8:54:53 PM11/30/17

to SonarQube

Hi all,

We are looking to use Sonarqube in our organisation and we have been looking at ways to "hide" the password from users so that they can't access the DB.

We've been looking at:

https://docs.sonarqube.org/display/SONAR/Settings+Encryption

where you can use a key to create an encrypted version, paste it in and then it's hidden.

We are looking at using some automated tool (such as puppet) create the instance, so would it would to would be

create all the sonar files

go somewhere for the "clear" DB password

paste the password into "sonar.jdbc.password"

then start sonarqube.

when sonarqube starts, it can see that there is a "sonar.secretKeyPath" setup, and if there is and the password is in cleartext it will encrypt the password and write back the change to the "conf/sonar/properties" file.

this means that if we want to roll passwords, we can update the password and restart the sonar server and it will re-encrypt the new password.

Does this sound reasonable and is there a better approach ?

Our other option is we just run some java code after we have installed sonar and try to call out to the sonar libraries to encrypt the password and do it outside of sonar.

Regards

Richard

Eric Hartmann

unread,

Dec 1, 2017, 3:20:26 AM12/1/17

to betterco...@gmail.com, SonarQube

Hi Richard,

The encryption of sonar.jdbc.password is a standard one (aes 128 ecb).

You do not need to start / stop SonarQube in order to provision the password, you can provision it directly.

Given that :

plain_text_password : is your password in clear text
secret_key : is the value of your secret key

You can feed the sonar.jdbc.password with the result of the command line :

$ echo -n ${plain_text_password} | openssl aes-128-ecb -a -e -K $(echo ${secret_key} | base64 -d | xxd -p)

Cheers,

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/2e68a30d-9cfe-4cbc-b757-df407798be66%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Eric HARTMANN | SonarSource

http://sonarsource.com

betterco...@gmail.com

unread,

Dec 3, 2017, 5:05:40 PM12/3/17

to SonarQube

Thanks Eric,

We'll try that.

Regards

Richard

Reply all

Reply to author

Forward