[
https://issues.apache.org/jira/browse/JSPWIKI-205?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14145266#comment-14145266
]
Harry Metske commented on JSPWIKI-205:
--------------------------------------
What about lifting the security a little higher. Currently, the
encryption/decryption key is in a file on the filesystem, so root users can
easily access it and probably decrypt your page data.
What about keeping the decryption key in memory only. So the idea is that you
(the wiki admin, or user) keep the key private (physically).
You start up the wiki, encrypted pages can't be read (yet). You login (https of
course), and there is a special page, plugin, jsp or whatever that allows you
to enter the key. Then this key is kept in the JVM memory only. After entering
this key, the encrypted pages can be (decrypted and) read.
Restarting the wiki requires you to re-enter the key.
While still "hackable" is is much more secure.
Just an idea...WDYT ?
> Obfuscate on disk content type
> ------------------------------
>
> Key: JSPWIKI-205
> URL: https://issues.apache.org/jira/browse/JSPWIKI-205
> Project: JSPWiki
> Issue Type: Improvement
> Components: Core & storage
> Reporter: Chris Lialios
> Priority: Trivial
> Attachments: BasicOverview.doc, EncryptingProviderSource.zip,
> encryption.patch, encryption.patch, encryption.patch, encryption.patch
>
>
> We would like to store passwords within the wiki pages.
> Securing the page is trivial, however the contents on disk remain clear text.
> It would be very nice to have a page type that could be stored in an
> obfuscated form on disk.
> As an addition have a secondary password to display/edit the encrypted
> contents on disk for those who do not want to use wiki security on the page.
> I suspect this will have potentially drastic effects on the revisions
> process, but it would be a small price to pay for security.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
