On Mon, Feb 16, 2026 at 04:00:15PM +0000, Josefin Wahlström wrote: > We’re currently looking at the security of DSpace and noticed that the > database password is supposed to be stored in clear text in local.cfg. > > I’m wondering what the motivation for this is, and if anyone has an > alternative solution to saving the password in clear text?
Any approach that does not require manual intervention to supply key material is plaintext-equivalent. If the system can start itself unassisted, then somewhere in the system there is at least one plaintext secret, and thus anyone with unrestricted read access to the filesystem can eventually decrypt any encrypted secrets. What's your threat model? Is it feasible in your application to have a human operator standing by to unlock the system? -- Mark H. Wood Lead Technology Analyst University Library Indiana University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 library.indianapolis.iu.edu ORCiD: 0000-0002-9558-3768 -- All messages to this mailing list should adhere to the Code of Conduct: https://lyrasis.org/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/aZNkRSvtJ29ecoNP%40iu.edu.
binN1HtZQgbuN.bin
Description: PGP Key 0xDA186C80E6EEA295.
signature.asc
Description: PGP signature
