Skip to main content

Encrypting passwords of system users

By default, the passwords of system users are stored in clear form in the <RuntimeContainerPath>/etc/users.properties file.

It is possible to enable encryption in the <RuntimeContainerPath>/etc/org.apache.karaf.jaas.cfg configuration file.

If the encryption.enabled property is set to true, the password encryption is enabled.

With encryption enabled, the password is encrypted at the first time a user logs in. The encrypted passwords are prefixed and suffixed with {CRYPT}. To re-encrypt the password, you can reset the password in clear form in the <RuntimeContainerPath>/etc/users.properties file, without the {CRYPT} prefix and suffix. Talend ESB Runtime will detect that this password is in clear form because it is not prefixed and suffixed with {CRYPT} and encrypt it again.

The <RuntimeContainerPath>/etc/org.apache.karaf.jaas.cfg configuration file allows you to define advanced encryption behaviours:

  • the encryption.prefix property defines the prefix to "flag" a password as encrypted. The default is {CRYPT}.

  • the encryption.suffix property defines the suffix to "flag" a password as encrypted. The default is {CRYPT}.

  • the encryption.name property defines which encryption provider is used. The default is "basic" which just supports basic digesting of the password, without salting. This is not secure for production environments. A more secure alternative is "jasypt", which supports digesting with salting. However, the most secure alternative which should be used in production is "spring-security-crypto", which supports modern password digest algorithms such as "argon2" and "bcrypt".

  • the encryption.algorithm property defines the algorithm to use for encryption (digest). The possible values for the "basic" and "jasypt" providers are: MD2, MD5, SHA-1, SHA-256, SHA-384, SHA-512. The default is SHA-256. When the "spring-security-crypto" encryption.name is configured, the possible values are: argon2, bcrypt, pbkdf2, scrypt.

  • the encryption.encoding property defines the encoding of the encrypted password. The possible values are hexadecimal or base64. The default value is hexadecimal.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here