Thursday, May 26, 2016

How to hide the secure vault decryption password

whats covered: embedding the secure vault password for the linux startup script.

WSO2 servers ship with the capability of encrypting and securing plain text passwords used in configuration files, find more information about this feature here[1]. As the final step of this process the decryption password will need to be provided at server startup by entering it or placing it as a temp text file. When needing to start the servers as background services the password can be embedded into the server startup script as shown in the post  to make the process more secure.

1) encode the password to base64

run the command below to get it encoded

echo 'put your password here' | base64

2) modify the script to generate the password file at runtime.

Include the following line at the start of the elif [ "$CMD" = "start" ]; then block. Refer[2]

echo <the encoded base64 string goes here> | base64 -d | tee $CARBON_HOME/password-tmp

the password-tmp file will get generated before the carbon bootlstrapper is run. The file will get deleted after it is read.

Note that this would only work on Linux distros where the base64 program is available.