-
Enhancement
-
Resolution: Unresolved
-
P3
-
8, 25
Keytool exposes the password in plain text when command is piped using | grep.
Keytool -v -list -keystore storename.jks | grep <word>
This default behavior is an insecure practice, leading to potential leaks especially in shared environments. Some workarounds exist such as using environments variables or password files to avoid unmasked passwords, but still not ideal due to the risk of leaving sensitive data on the disk. We propose:
- Interactive prompt support: Allow secure masked password input when -storepass is omitted (preferred option)
or
- Warn on insecure usage: Detect and warn that passwords will be shown in plaintext when piping the output
- Improve documentation: Promote other options such as :file and :env along -storepass for piping
Keytool -v -list -keystore storename.jks | grep <word>
This default behavior is an insecure practice, leading to potential leaks especially in shared environments. Some workarounds exist such as using environments variables or password files to avoid unmasked passwords, but still not ideal due to the risk of leaving sensitive data on the disk. We propose:
- Interactive prompt support: Allow secure masked password input when -storepass is omitted (preferred option)
or
- Warn on insecure usage: Detect and warn that passwords will be shown in plaintext when piping the output
- Improve documentation: Promote other options such as :file and :env along -storepass for piping
- relates to
-
JDK-8202917 keytool should not echo keystore password when output piped through grep
-
- Closed
-
- links to
-
Review(master)
openjdk/jdk/24805