db-torque-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Fischer <fisc...@seitenbau.net>
Subject RE: encrypt database user info in the Torque.properties?
Date Fri, 25 May 2007 07:29:04 GMT
One thing to remember is that if the attacker has access to the encrypted
password and to the decryption code, he can decrypt the password himself.
By this I do not want to suggest that encrypting the password makes no
sense (it makes the attack a lot harder), but one needs to remember that
there is no absolutely secure solution for this problem.

     Thomas

"Greg Monroe" <Greg.Monroe@DukeCE.com> schrieb am 25.05.2007 01:36:54:

> There is no built in support for this.
>
> However, if you need that level of security, you can
> use the Torque.init(Configuration conf) method to initialize
> Torque with a "decrypted" version of your encrypted
> config file.
>
> E.g., make an "EncryptProperties" class that takes a
> plain text config file can encrypts the whole thing.
>
> Then create a matching DecryptReader class that can
> be used to load a PropertiesConfiguration class.  E.g.,
>
>
> if ( ! Torque.isInit() ) {
>   DecryptReader dReader = new DecryptReader(keys, encryptedFile);
>   PropertiesConfiguration conf = new PropertiesConfiguration();
>   conf.load(dReader);
>   Torque.init(conf);
> }
>
> Of course, if people have access to your compiled classes
> they can probably decompile them and find your key values and
> encryption methods...
>
> > -----Original Message-----
> > From: jill han [mailto:jhan@bynum.com]
> > Sent: Thursday, May 24, 2007 6:01 PM
> > To: Apache Torque Users List
> > Subject: encrypt database user info in the Torque.properties?
> >
> > I put database user login data in the Torque.properties as
> >
> > torque.dsfactory.default.connection.user = username
> > torque.dsfactory.default.connection.password = userpassword
> >
> > At first, I think it is quite common practice. Now somebody
> > questioned it for the security reason, saying "Storage of
> > user information in plain text will allow the database to be
> > compromised if web/app server is hacked."
> > It was suggested to Encrypt the database details in the
> > configuration file.
> >
> > Do you think it is a legitimate concern?
> > Do you encrypt such data in the configuration file?
> >
> > Your input is appreciated as always.
> >
> > Jill
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
> > For additional commands, e-mail: torque-user-help@db.apache.org
> >
> >
>
> Duke CE Privacy Statement
> Please be advised that this e-mail and any files transmitted with it are
> confidential communication or may otherwise be privileged or confidential
and
> are intended solely for the individual or entity to whom they are
addressed.
> If you are not the intended recipient you may not rely on the contents of
this
> email or any attachments, and we ask that you  please not read, copy or
> retransmit this communication, but reply to the sender and destroy the
email,
> its contents, and all copies thereof immediately.  Any unauthorized
> dissemination, distribution or copying of this communication is strictly
prohibited.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
> For additional commands, e-mail: torque-user-help@db.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org


Mime
View raw message