Encrypt passwords in context and dbconfig JIRA files

atlassian member January 18, 2018

Hi,

For security reasons, we would like to encrypt passwords in context.xml and dbconfig.xml.

Is there any tool that would allow us to do this on JIRA?

Best regards,

1 answer

1 vote
somethingblue
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 18, 2018

Hi Yasmine,

I found a Community post with comments from a JIRA Development Engineer titled password encryption for database connection that link to comments in JRASERVER-27457 which may help explain why this isn't done natively.

I found a Suggestion request for this at JRASERVER-31004 and one with MSSQL as the Database in question specifically at JRASERVER-37356: Clear text password in dbconfig.xml. Here is an update from JRASERVER-31004 from 2016:

While we understand the importance of this issue for our customers with strict password encryption requirements, we have not been able to prioritize development on this issue and it's not in our immediate plans.

JIRA still needs access to the database – any code to encrypt the DB credentials or the JNDI datasource would have to reside within the application, therefore an attacker who has obtained system-level access to JIRA could still reverse-engineer the implementation and decrypt the password. Therefore you only have "security via obfuscation." Please see this comment on JRA-27457 for more detail.

That said, we do think this is a positive step and want to support you. We hope to implement a solution in the future.

Please vote on JRASERVER-31004: Encrypt Database Password in dbconfig.xml or use integrated authentication to add impact so we can get this implemented into JIRA.

Cheers,

Branden

Suggest an answer

Log in or Sign up to answer