Removing plain text database credentials from server

(Maeve Morren) #1

Hi, I have just recently noticed that on our Octopus servers that our database credentials are in plain text which poses a security risk. Is there a simple way to remove these or encrypt them? Thank you in advance!

*Please mark this thread as private

(Daniel Fischer) #3

Hi Maeve,

Thanks for getting in touch! Currently we have no way to remove or encrypt the database credentials from the Octopus configuration file.

There are a couple of methods which may help you though.

The first is to switch to widows integrated authentication for your database connection to avoid leaving the credentials in file.

The other idea would be to lock down access to the config file so only the Octopus service account has access.

Unfortunately these are the only options available as we are currently unable to encrypt the connection string and the Octopus service needs access to the configuration file.

We do have a documentation section on Hardening Octopus which contains some helpful information for common security concerns, though it does not directly address the OctopusServer.config file.

If you have any further questions here or misinterpreted your request, please let me know.

Best regards,
Daniel

(Maeve Morren) #4

Hi Daniel,

Thank you for clearing that up! I think we’ll go ahead and lock the file down to a service account. You can mark this as resolved now, thanks again for your help!

Maeve.