JBoss Community

Anil Saldhana wrote:

 

 

Read,  it says it uses "Password based Encryption" which is security by obscurity.  It is not 100% security.

 

To really get foolproof security of passwords, you either:

a) use FIPS 140-2 certified keystore or

b) use a 3rd party ISV implementation of the vault.

That's not fool proof. Hardware encryption will make it difficult to copy the store, but since you have to have the password in our config file, someone with access to the system can get those passwords the same way we can.  User prompted password would be alot more secure, however, for reasons in mentallurg's article it's not very practical. Even with that though, it's not fool proof, if someone gains access to the system they dont even need to use the keystore. If they can get permissions to the running process (e.g. become the user running jboss), then they can take a memory dump of the JVM. Using the memory dump you can get the passwords out.