topic Re: best practice to protect Database connection password in Member Support

topic Re: best practice to protect Database connection password in Member Support https://community.isc2.org/t5/Member-Support/best-practice-to-protect-Database-connection-password/m-p/1426#M132 yes, indeed. two situation here, one is developing by Java, one is developing by php or some other scripting language. the same function is they all need to connect to database to update data. the encryption principle is separating key and cipher text. for java, there is a way to secure DB password as below: 1. generate a root key and a instance key 2. encrypt DB password by instance key and store it in config file 3. encrypt instance key by root key and store it in config file 4. keep root key in other server and get them when require after authenticated please let me know your advice, thx. Thu, 19 Oct 2017 01:56:45 GMT AmyZ 2017-10-19T01:56:45Z best practice to protect Database connection password https://community.isc2.org/t5/Member-Support/best-practice-to-protect-Database-connection-password/m-p/1395#M126 Storing DB connection password in plain text in config file is very common way， but we know it's not secure. what's the best practices to protect DB password? thanks. Wed, 18 Oct 2017 09:29:23 GMT https://community.isc2.org/t5/Member-Support/best-practice-to-protect-Database-connection-password/m-p/1395#M126 AmyZ 2017-10-18T09:29:23Z Re: best practice to protect Database connection password https://community.isc2.org/t5/Member-Support/best-practice-to-protect-Database-connection-password/m-p/1399#M127 Hi, The technique will vary based on language and environment that you are deploying. Perhaps you can provide further information on this? Wed, 18 Oct 2017 13:44:18 GMT https://community.isc2.org/t5/Member-Support/best-practice-to-protect-Database-connection-password/m-p/1399#M127 sureshdr 2017-10-18T13:44:18Z Re: best practice to protect Database connection password https://community.isc2.org/t5/Member-Support/best-practice-to-protect-Database-connection-password/m-p/1426#M132 yes, indeed. two situation here, one is developing by Java, one is developing by php or some other scripting language. the same function is they all need to connect to database to update data. the encryption principle is separating key and cipher text. for java, there is a way to secure DB password as below: 1. generate a root key and a instance key 2. encrypt DB password by instance key and store it in config file 3. encrypt instance key by root key and store it in config file 4. keep root key in other server and get them when require after authenticated please let me know your advice, thx. Thu, 19 Oct 2017 01:56:45 GMT https://community.isc2.org/t5/Member-Support/best-practice-to-protect-Database-connection-password/m-p/1426#M132 AmyZ 2017-10-19T01:56:45Z