How do I store a Java KeyStore password?

In my web application I access a private key that is stored in a Java KeyStore. I would like to know what is the best/recommended way to store the password for the KeyStore and private key.

I've cons开发者_高级运维idered using a properties file but that does not seem very secure for use in a production environment (storing password in a plain text file). Also, hard-coding the password in my code is not an option I'm willing to entertain.

Thanks.

This is a tricky bootstrapping problem. Some options:

• Have your app prompt the user to unlock the keystore (not very friendly, but possible)

• Store the password in an owner read only file (0400 ) and use that to unlock the keystore. The attacker has to break into your server to read the file. This seems to be the most widely used technique
• Use an HSM
• Using something like Hashicorp Vault (but it also has the bootstrapping issue as well).

You could use a properties file as you mentions just hash the password for extra security salt hash the password. This gets round the issue of having to keep a password in plain text. You can then either use MD5 or SHA1 password to hash it, personal choice.