How to Encrypt Passwords in Configuration Files

When you need to include sensitive passwords in your config files and want to ensure that they're encrypted so they can't be easily seen be users looking at the configuration files.

Step-by-step guide

  1. Use the osgi console encrypt command to encrypt a clear text password
    1. Go to to the osgi console and type encrypt <password> and press return e.g.

      Encrypting a password
      osgi> encrypt My$upaSekrutP@sswurd
  2. Copy the encrypted password from the console and paste it back into the configuration file replacing the original password

    Before encrypting password
    After encrypting password

The encryption key used to encrypt the passwords is stored in the file called private.key located in the Weave folder (e.g. C:\weave\platform\workspace).

This file is generated the first time Weave starts and will be unique for each Weave instance, which means that encrypting the same password with different instances of Weave would result in different encrypted text.

This means that if you want to re-use the same configuration files on multiple Weave instances, for example development and production, then you need to either:

  • Copy the private.key file from the server where the passwords were encrypted to the other server, so the encryption/decryption key is the same on both instances.
  • Extract the passwords from being directly included in the XML and set them in a separate XML file that you include into your config and encrypt the passwords on both Weave instances and have the different passwords set in the password XML file.

Additionally, for extra security the permissions on that file should be set to only allow the users running the Weave instance to read the private.key file.

Also refer to the following sections of the Weave System Administrator Guides: