On 1/22/2014 10:05 AM, Stian Thorgersen wrote:
I think having to enter a master password to start the server could
make it quite difficult to manage, especially in clouds and provisioned environments. It
should be available as an option though.
Good point. This feature would be backburner then.
Properties file could be the default. We could create a random
password and store it in a file when a realm is created. There's ways to make sure the
file is secure (permissions, encrypted storage, etc.). It also means that an attacker
would have to gain access to both the server and the db.
Doesn't make much sense to me. If there's ways to secure this property
file, why wouldn't you do the same for the database?
Would we store the password in memory, the unencrypted private key,
or both? With a properties file you wouldn't need to store either in memory, although
it would probably become very expensive to decrypt the key all the time.
private key has to be in memory unencrypted. I'd like to load up and
keep the whole database in memory. Buts thats another discussion down
the road.
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Bruno Oliveira" <bruno(a)abstractj.org>,
keycloak-dev(a)lists.jboss.org
> Sent: Wednesday, 22 January, 2014 2:43:51 PM
> Subject: Re: [keycloak-dev] Password storage and KDFs
>
> Using a property file sort of defeats the purpose of encrypting the
> keys. The password must be stored in the human brain, IMO :) I'd like
> to store keys as text in the db. They are already stored in PEM format.
>
> On 1/22/2014 9:39 AM, Bruno Oliveira wrote:
>> We did something on AeroGear with property file (not perfect), but I would
>> like to look at Keycloak before suggest anything. Maybe is possible
>> implement using the KeyStore from Java?
>>
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com