How to encrypt passwords

I am deploying lucee via a cloudformation script at amazon. I want to be able to store the database and admin passwords as a seperate object and just inject them into the proper xml at deploy time.

The problem is that the passwords in lucee are in encrypted, how do i convert my plain text password created when the database instance is formed into the encrypted version lucee uses?

ie: dbpassword = ‘mybadpassword’
password: “encrypted:encryptedpasswordstringfrommybadpassword”

Also since each instance of lucee is run in a container is the encryption key the same across all lucee installs so the same encrypted password will decrypt to the same value on all lucee servers?

If none of that works is it possible to store the password unencrypted by leaving the encrypted identifier off, certainly not an ideal method?

I assume the same method to encrypt is used for the admin password as well.

Brad should know. He has this on Forgebox. Password is SHA256 salted hash. DB is encrypted Blowfish, I think.
https://www.forgebox.io/view/lucee-password-util

Also saw this:

2 Likes

Yep, that library will do it but you don’t need to use that lib directly. Use CFConfig which is built for this purpose. CFConfig bundles the lib above plus a lot more wrapped up as a CLI.

https://cfconfig.ortusbooks.com/introduction/getting-started-guide

2 Likes

I like this solution as it seams a little less problematic in case the internal details change going forward it seems less fragile.

Although it does require an external dependency since I need to install commandbox and CFConfig separately.

This seems to work with the admin password but not the database password. Is the salt the same as for the admin password? Also, the encrypted database password seems to be 112 characters. Is there some additional processing done or?

Thank you.

@Zach_Brown Database password and admin passwords are not handled the same. The DB passwords are encrypted in a reversible format. The admin passwords are hashed and not reversible. Either way, the answer is the same. Use CFConfig to apply your settings and you won’t need to worry about the details of how each password works :slight_smile: