The dbconfig.xml for JIRA in the data directory has the database credentials, specifically the password, in plain text. Is there a feature, plugin, setting, etc that will encrypt the password in this file?
Short answer: No. See JRA-31004.
JIRA has to actually have access to this information to connect to the database. Since it must be algorithmically recoverable by JIRA using a direct algorithm, anything we do to protect it must be reversible, and that amounts to simple obfuscation.
The database is not the only place that we have this problem, and you can see some of my comments about a similar case (LDAP server passwords) in JRA-27457, where I talk about why we can't just hash it and why obfuscating it doesn't really help. I also lay out what I think the long term solution should look like.
I've built a library to make possible the "separation of concerns" that I outline there, and our security team is aware of it. However, making use of it will require some significant changes in all of the products, and it will also complicate the import/export process for Cloud, so this is not likely to progress quickly, but fixing these issues is definitely on our security roadmap.
I'm John Allspaw, co-founder of Adaptive Capacity Labs, where we help teams use their incidents to learn and improve. We bring research-driven methods and approaches to drive effective inciden...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs