I think having to enter a master password to start the server could make it quite
difficult to manage, especially in clouds and provisioned environments. It should be
available as an option though.
Properties file could be the default. We could create a random password and store it in a
file when a realm is created. There's ways to make sure the file is secure
(permissions, encrypted storage, etc.). It also means that an attacker would have to gain
access to both the server and the db.
Would we store the password in memory, the unencrypted private key, or both? With a
properties file you wouldn't need to store either in memory, although it would
probably become very expensive to decrypt the key all the time.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Bruno Oliveira" <bruno(a)abstractj.org>, keycloak-dev(a)lists.jboss.org
Sent: Wednesday, 22 January, 2014 2:43:51 PM
Subject: Re: [keycloak-dev] Password storage and KDFs
Using a property file sort of defeats the purpose of encrypting the
keys. The password must be stored in the human brain, IMO :) I'd like
to store keys as text in the db. They are already stored in PEM format.
On 1/22/2014 9:39 AM, Bruno Oliveira wrote:
> We did something on AeroGear with property file (not perfect), but I would
> like to look at Keycloak before suggest anything. Maybe is possible
> implement using the KeyStore from Java?
>
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev