-
Notifications
You must be signed in to change notification settings - Fork 5
Runtime Obfuscate Passwords
If you need to specify passwords in the configuration file (e.g. database password) it's sometimes not allowed to save them in plain text. The executable jar contains a helper class that obfuscates/encrypts plain texts.
In the current release (1.1) there are two methods integrated:
- The Jetty obfuscator
- A password-based encryption.
Because both methods are symmetric (the program needs the plain text to connect to a resource) an attacker that has physical access to the computer can decompile the code and deobfuscate/decrypt the texts. But it may help if somebody is watching over your shoulder and you have to edit a configuration file.
The runner only supports obfuscated/encrypted values of systemProperties, environment/environments, parameter/parameters and resource/resources.
java -jar app.jar obfuscate [plaintext]
This writes a string into the console that starts with 'OBF' (e.g. OBF1uh41zly1x8g1vu11ym71ym71vv91x8e1zlk1ugm). You can use this string in any of the supported values of the config file.
systemProperties:
customer: OBF1uh41zly1x8g1vu11ym71ym71vv91x8e1zlk1ugm
context:
resource:
name: jdbc/db
factory: org.apache.tomcat.jdbc.pool.DataSourceFactory
auth: Container
type: javax.sql.DataSource
username: OBF1uh41zly1x8g1vu11ym71ym71vv91x8e1zlk1ugm
password: OBF1uh41zly1x8g1vu11ym71ym71vv91x8e1zlk1ugm
driverClassName: OBF1xff1t331zel1iys1yf41okq1lfq1v9q1s3k1sw0
url: OBF1x111shs1hv61j8t1bb71jug1l8l1igj1lts19
maxActive: 5
maxIdle: 1
maxWait: 10000
defaultAutoCommit: false
environment:
name: email
value: OBF1xmu1v1x1vgv1l8l1op71ytc1t331yta1os31l4p1vfz1v2h1xmg
type: java.lang.String
The Jetty obfuscator has the problem that it's a well known and open obfuscate method. Somebody could take a screenshot and deobfuscate the passwords easily. Therefore a second method exists that tries to solve this problem with a password-based encryption.
The following call encrypts the plaintext with the password 'mypassword'. The program writes the encrypted text into the console. The encrypted string starts with 'ENC' (e.g. ENCp1mMfI5Oc1U=W8lUDNgkevmvgWkvO7Llog==)
java -jar test.jar obfuscate [plaintext] -p [mypassword]
systemProperties:
customer: ENCedaa4hvau4E=paBbt6IaaSI=
context:
resource:
name: jdbc/db
factory: org.apache.tomcat.jdbc.pool.DataSourceFactory
auth: Container
type: javax.sql.DataSource
username: ENCxXOVLI1ckZM=ndRKXnaBYD4=
password: ENCjuqjztvF6Oo=CQrDnW/POX8F/rRELBpH3g==
driverClassName: ENCedaa4hvau4E=paBbt6IaaSI=
url: ENCp1mMfI5Oc1U=W8lUDNgkevmvgWkvO7Llog==
maxActive: 5
maxIdle: 1
maxWait: 10000
defaultAutoCommit: false
environment:
name: email
value: ENCedaa4hvau4E=paBbt6IaaSI=
type: java.lang.String
Because the texts are encrypted with a password we have to provide this password with the command line parameter -p or --password, so the runner is able to decrypt the values.
java -jar test.jar -p [mypassword]
With a configuration file
java -jar test.jar myconfig.yaml --password [mypassword]
When you use Procrun the password can be hidden in the windows registry. But again if an attacker has physical access to the computer he is able to find the password and crack the encrypted texts.