I found a Community post with comments from a JIRA Development Engineer titled password encryption for database connection that link to comments in JRASERVER-27457 which may help explain why this isn't done natively.
I found a Suggestion request for this at JRASERVER-31004 and one with MSSQL as the Database in question specifically at JRASERVER-37356: Clear text password in dbconfig.xml. Here is an update from JRASERVER-31004 from 2016:
While we understand the importance of this issue for our customers with strict password encryption requirements, we have not been able to prioritize development on this issue and it's not in our immediate plans.
JIRA still needs access to the database – any code to encrypt the DB credentials or the JNDI datasource would have to reside within the application, therefore an attacker who has obtained system-level access to JIRA could still reverse-engineer the implementation and decrypt the password. Therefore you only have "security via obfuscation." Please see this comment on
for more detail. JRA-27457
That said, we do think this is a positive step and want to support you. We hope to implement a solution in the future.
Please vote on JRASERVER-31004: Encrypt Database Password in dbconfig.xml or use integrated authentication to add impact so we can get this implemented into JIRA.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG