[keycloak-dev] Password storage and KDFs

Stian Thorgersen stian at redhat.com
Wed Jan 22 10:05:43 EST 2014


I think having to enter a master password to start the server could make it quite difficult to manage, especially in clouds and provisioned environments. It should be available as an option though.

Properties file could be the default. We could create a random password and store it in a file when a realm is created. There's ways to make sure the file is secure (permissions, encrypted storage, etc.). It also means that an attacker would have to gain access to both the server and the db.

Would we store the password in memory, the unencrypted private key, or both? With a properties file you wouldn't need to store either in memory, although it would probably become very expensive to decrypt the key all the time.

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Bruno Oliveira" <bruno at abstractj.org>, keycloak-dev at lists.jboss.org
> Sent: Wednesday, 22 January, 2014 2:43:51 PM
> Subject: Re: [keycloak-dev] Password storage and KDFs
> 
> Using a property file sort of defeats the purpose of encrypting the
> keys.  The password must be stored in the human brain, IMO :)  I'd like
> to store keys as text in the db.  They are already stored in PEM format.
> 
> On 1/22/2014 9:39 AM, Bruno Oliveira wrote:
> > We did something on AeroGear with property file (not perfect), but I would
> > like to look at Keycloak before suggest anything. Maybe is possible
> > implement using the KeyStore from Java?
> >
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list