How to Encrypt Passwords in Configuration Files
- Shaun Forbes
- Lucy Minato (Deactivated)
When you need to include sensitive passwords in your config files and want to ensure that they're encrypted so they can't be easily seen be users looking at the configuration files.
Step-by-step guide
- Use the osgi console
encryptcommand to encrypt a clear text passwordGo to to the osgi console and type
encrypt <and press return e.g.password>Encrypting a passwordosgi> encrypt My$upaSekrutP@sswurd ENCKPXBCTMGGMKBGKPK
Copy the encrypted password from the console and paste it back into the configuration file replacing the original password
Before encrypting password<username>bob</username> <password>My$upaSekrutP@sswurd<password>
After encrypting password<username>bob</username> <password>ENCKPXBCTMGGMKBGKPK<password>
The encryption key used to encrypt the passwords is stored in the file called private.key located in the Weave folder (e.g. C:\weave\platform\workspace).
This file is generated the first time Weave starts and will be unique for each Weave instance, which means that encrypting the same password with different instances of Weave would result in different encrypted text.
This means that if you want to re-use the same configuration files on multiple Weave instances, for example development and production, then you need to either:
- Copy the
private.keyfile from the server where the passwords were encrypted to the other server, so the encryption/decryption key is the same on both instances. - Extract the passwords from being directly included in the XML and
setthem in a separate XML file that youincludeinto your config and encrypt the passwords on both Weave instances and have the different passwords set in the password XML file.
Additionally, for extra security the permissions on that file should be set to only allow the users running the Weave instance to read the private.key file.
Also refer to the following sections of the Weave System Administrator Guides:
Related articles