Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Securing credentials/passwords not possible with Quarkus distribution

See original GitHub issue

Describe the bug

It seems there is currently no way to secure/hide/obfuscate any of the passwords (i.e. db-password, https-key-store-password, https-trust-store-password, referenced in https://www.keycloak.org/server/all-config).

With Wildfly one could use Elytron encrypted values and “credential-stores”.

This is an issue because, as @FX-Liagre points out in the referenced discussions

[…]And our customers’ security guys (and DB admins…) tend to faint when you present them a config text file with clear text DB credentials… 😦

Version

17.0.0

Expected behavior

Have some sort of encryption ready for hiding credentials or passwords.

Actual behavior

No such feature available in Quarkus, but still is in Wildfly.

How to Reproduce?

Provide any clear-text passwords inside the keycloak.conf. Find someone who does a security scan on the installation -> they will find the clear-text password and might possibly faint over it

Anything else?

Issue Analytics

State:
Created a year ago
Reactions:1
Comments:12 (6 by maintainers)

Top GitHub Comments

2reactions

dfs-commented, Apr 6, 2022

Hi @pedroigor,

thanks for looking at this issue. In my current environment I am using Windows (duh) and am not using a container. Currently, as opposed to wildfly there is no standard way of running Keycloak as a service I am using NSSM (https://nssm.cc/) as a lightweight service wrapper for Keycloak.

While NSSM supports custom environment variables to be set only inside it’s “sandbox” at least in Windows it is trivial to retrieve the information using Sysinternals Process Explorer:

The screenshot is from a testing server, so please ignore any nonsensical stuff you might see on the screenshot. 😃

1reaction

pedroigorcommented, Jun 13, 2022

@dfs- Not at all 😃 It means it was added to our backlog. The next step is to discuss with the team how/when it should be implemented.

Top Results From Across the Web

Quarkus Security overview

Quarkus Security is a framework that provides the architecture, multiple authentication and authorization mechanisms, and other tools for you to build ...

Keycloak Dev Service doesn't use the Quarkus distribution of ...

I suppose that assistance from the Keycloak project could be necessary here. I've failed to assess the status of the "preview" such as...

Migrating to Quarkus distribution - Keycloak

Migrate to the new Quarkus distribution from the legacy WildFly distribution ... what is loaded into memory at runtime, this is not possible...

Keycloak with Quarkus: Better together | Novatec

To install Keycloak as Quarkus distribution you have a choice of ... HTTP mode and stores data into an H2 database (not production-ready)....

Metasploit Weekly Wrap-Up - Vulners

Security Bulletin: HMC is affected but not classified as vulnerable by a remote ... Red Hat Integration Camel Extensions for Quarkus 2.2.1-1 security...