.env file shows db user as cleartext #4899

New Issue

OVERLORD · 2026-02-05T09:24:46+03:00

OVERLORD commented

2026-02-05 09:24:46 +03:00

Originally created by @LindwehrFabian on GitHub (Aug 5, 2024).

Attempted Debugging

I have read the debugging page

Searched GitHub Issues

I have searched GitHub for the issue.

Describe the Scenario

Hello,
is it somehow possible to not show the db users username/password as cleartext in the .env file?

Thanks already everyone!

Greetings
Fabian

Exact BookStack Version

v24.05.3

Log Content

No response

Hosting Environment

XAMPP 3.3.0
MYQL
Apache

Originally created by @LindwehrFabian on GitHub (Aug 5, 2024). ### Attempted Debugging - [X] I have read the debugging page ### Searched GitHub Issues - [X] I have searched GitHub for the issue. ### Describe the Scenario Hello, is it somehow possible to not show the db users username/password as cleartext in the .env file? Thanks already everyone! Greetings Fabian ### Exact BookStack Version v24.05.3 ### Log Content _No response_ ### Hosting Environment XAMPP 3.3.0 MYQL Apache

OVERLORD added the 🐕 Support label 2026-02-05 09:24:46 +03:00

OVERLORD closed this issue

2026-02-05 09:24:47 +03:00

OVERLORD commented

2026-02-05 09:24:50 +03:00

@ssddanbrown commented on GitHub (Aug 5, 2024):

Hi @LindwehrFabian,
We don't support other methods (like encryption or remote stores) to define these values.
BookStack will take the same named options from the environment though, so if you can instead set environment variables for the apache/php process, that could be used instead of being defined in the .env.

@ssddanbrown commented on GitHub (Aug 5, 2024): Hi @LindwehrFabian, We don't support other methods (like encryption or remote stores) to define these values. BookStack will take the same named options from the environment though, so if you can instead set environment variables for the apache/php process, that could be used instead of being defined in the `.env`.

OVERLORD commented

2026-02-05 09:24:52 +03:00

@Zverik commented on GitHub (Aug 12, 2024):

It's a common practice to store passwords as cleartext on the server, provided the configuration file is not publicly accessible. Otherwise a hacker has the access to the entire server contents, and it doesn't matter whether they got the password from that file.

@Zverik commented on GitHub (Aug 12, 2024): It's a common practice to store passwords as cleartext on the server, provided the configuration file is not publicly accessible. Otherwise a hacker has the access to the entire server contents, and it doesn't matter whether they got the password from that file.

OVERLORD commented

2026-02-05 09:24:54 +03:00

@LindwehrFabian commented on GitHub (Aug 12, 2024):

It's a common practice to store passwords as cleartext on the server, provided the configuration file is not publicly accessible. Otherwise a hacker has the access to the entire server contents, and it doesn't matter whether they got the password from that file.

I didn't actually know that, thank you very much for the information :) And thinking about it, you're absolutely right haha :)

@LindwehrFabian commented on GitHub (Aug 12, 2024): > It's a common practice to store passwords as cleartext on the server, provided the configuration file is not publicly accessible. Otherwise a hacker has the access to the entire server contents, and it doesn't matter whether they got the password from that file. I didn't actually know that, thank you very much for the information :) And thinking about it, you're absolutely right haha :)

OVERLORD referenced this issue

2026-02-05 09:49:30 +03:00

Option to inherit permissions #5222

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#4899