config.json -- storing plain text? #416

New Issue

Closed

opened 2026-02-04 20:23:32 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-04 20:23:32 +03:00

Owner

Copy Link

Originally created by @moranbw on GitHub (Sep 12, 2019).

Does it matter that we are storing the admin_token and smtp_password as plain text in the config.json? Should the permissions of this file be by default more restrictive?

More asking then suggesting. I guess this still does not necessarily expose a user's vault, which is the main thing.

Originally created by @moranbw on GitHub (Sep 12, 2019). Does it matter that we are storing the admin_token and smtp_password as plain text in the config.json? Should the permissions of this file be by default more restrictive? More asking then suggesting. I guess this still does not necessarily expose a user's vault, which is the main thing.

OVERLORD closed this issue 2026-02-04 20:23:34 +03:00

OVERLORD commented 2026-02-04 20:23:47 +03:00

Author

Owner

Copy Link

@mprasil commented on GitHub (Sep 13, 2019):

You can set the permissions of the file yourself - as long as the container user can read and write to it, it should work fine.

You can also provide these as environment variables and you can the work out yourself how to set them in secure manner.

@mprasil commented on GitHub (Sep 13, 2019): You can set the permissions of the file yourself - as long as the container user can read and write to it, it should work fine. You can also provide these as environment variables and you can the work out yourself how to set them in secure manner.

OVERLORD commented 2026-02-04 20:23:52 +03:00

Author

Owner

Copy Link

@mprasil commented on GitHub (Sep 30, 2019):

I'm going to close this one as there are multiple ways to provide the credentials without storing them in config.json and the permissions on the file itself can be set in any way as long as the service can read it and write to it. Feel free to reopen, if there's anything more we can do regarding this.

@mprasil commented on GitHub (Sep 30, 2019): I'm going to close this one as there are multiple ways to provide the credentials without storing them in config.json and the permissions on the file itself can be set in any way as long as the service can read it and write to it. Feel free to reopen, if there's anything more we can do regarding this.

OVERLORD referenced this issue 2026-02-05 04:54:04 +03:00

[PR #416] [MERGED] Armv6 #2708

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#416