Jason Greene [
https://community.jboss.org/people/jason.greene] commented on the document
"JBoss AS7 Securing Passwords"
To view all comments on this document, visit:
https://community.jboss.org/docs/DOC-17248#comment-11340
--------------------------------------------------
Anil Saldhana wrote:
Read, it says it uses "Password based Encryption" which is security by
obscurity. It is not 100% security.
To really get foolproof security of passwords, you either:
a) use FIPS 140-2 certified keystore or
b) use a 3rd party ISV implementation of the vault.
That's not fool proof.
Hardware encryption will make it difficult to copy the store, but since you have to have
the password in our config file, someone with access to the system can get those passwords
the same way we can. User prompted password would be alot more secure, however, for
reasons in mentallurg's article it's not very practical. Even with that though,
it's not fool proof, if someone gains access to the system they dont even need to use
the keystore. If they can get permissions to the running process (e.g. become the user
running jboss), then they can take a memory dump of the JVM. Using the memory dump you can
get the passwords out.
--------------------------------------------------