Did anyone try encrypting keystore passord to be used in server.xml of tomcat?
I tried a solution (custom encryption) mentioned in stackoverflow : Encrypt tomcat keystore password and it works, but the problem is its still not secure because the encryption key can be retrieved using which we can get the password, making it vulnerable.
Is there any other way? I am using win19, java8, and tomcat9 for my app.
This question has been answered in the Tomcat FAQ, quite extensively, but not in a way that you probably like: As long as you don't enter the password manually, you'll end up storing the decryption key next to the encrypted password - so you typically only obfuscate the password.
The FAQ mentions other ways around this, from xml-entities, to custom Decrypting Code to the Tomcat Vault implementation. But the base-line is: If you do not require manual intervention you typically just make it harder to retrieve the password - not impossible.