Offline
Passive aggressive comment about "please read it" aside, that doesn't really address my concern. It's a pretty significant security risk to be having passwords in plaintext on the system especially when they're just sitting in a file on the filesystem which can be easily obtained due to lack of encryption.
It seems as though this isn't seen as a concern by the team though, so I'll take that under advisement.
Re: Exported Xen Orchestra Config Contains Plaintext Host Passwords - Is This Intentional?
I've been going through this older issue about plaintext passwords and was wondering if there was any plans on encrypting the passwords in the database in some form?
The reason I ask is that since there are no ACLs on the free version of the product anyone with access to Xen Orchestra will have access to export the config unless we subscribe to the paid versions.
There is also the issue with it being stored in plaintext in Redis as well, meaning anyone that can get access to the dump.rdb file will gain access to all the server passwords and since the XOA drives can't be encrypted at rest by default anyone with access to the storage the appliance is running on can in theory just copy the rdb file off and immediately gain root or admin access to your hypervisors.