Security-sensitive customers don't want to see unencrypted passwords, including keystore passwords or HSM PINs, anywhere in config files.
To address this, we currently offer the option to use property substitution, and encrypt or obfuscate these properties using CRYPT: or OBF:
This approach has two major shortcomings:
- it does not work for custom properties, e.g. credentials used further downstream in provisioner configs
- the protection is too weak to withstand a serious security review.
To address these, the encryption option should be made pluggable, so that custom crypto libraries can be used by the customer, for example to interface with a centralised crypto service provided as part of their infrastructure.
The workaround we plan to employ at this client is to store encrypted credentials in a separate file under a separate user, and decrypt them using their service prior to starting IDM, then pass them into the IDM service user's context using environment variables. However, this means that there is another file and another external script to maintain, which makes this harder to manage.
IDM should support pluggable encryption for arbitrary configuration properties.