[keycloak-dev] Password storage and KDFs

Bill Burke bburke at redhat.com
Wed Jan 22 10:13:52 EST 2014 


On 1/22/2014 10:05 AM, Stian Thorgersen wrote:
> I think having to enter a master password to start the server could make it quite difficult to manage, especially in clouds and provisioned environments. It should be available as an option though.
>

Good point.  This feature would be backburner then.

> Properties file could be the default. We could create a random password and store it in a file when a realm is created. There's ways to make sure the file is secure (permissions, encrypted storage, etc.). It also means that an attacker would have to gain access to both the server and the db.
>

Doesn't make much sense to me.  If there's ways to secure this property 
file, why wouldn't you do the same for the database?

> Would we store the password in memory, the unencrypted private key, or both? With a properties file you wouldn't need to store either in memory, although it would probably become very expensive to decrypt the key all the time.
>

private key has to be in memory unencrypted.  I'd like to load up and 
keep the whole database in memory.  Buts thats another discussion down 
the road.

> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Bruno Oliveira" <bruno at abstractj.org>, keycloak-dev at lists.jboss.org
>> Sent: Wednesday, 22 January, 2014 2:43:51 PM
>> Subject: Re: [keycloak-dev] Password storage and KDFs
>>
>> Using a property file sort of defeats the purpose of encrypting the
>> keys.  The password must be stored in the human brain, IMO :)  I'd like
>> to store keys as text in the db.  They are already stored in PEM format.
>>
>> On 1/22/2014 9:39 AM, Bruno Oliveira wrote:
>>> We did something on AeroGear with property file (not perfect), but I would
>>> like to look at Keycloak before suggest anything. Maybe is possible
>>> implement using the KeyStore from Java?
>>>
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list