The limits to protection through password encryption

IBM® MQ supports AES-128 encryption for passwords that are stored in various configuration files. When you use Advanced Encryption Standard (AES) encryption to protect passwords in the IBM MQ configuration, you need to understand the limits to the protection that it provides.

Encrypting a password in the IBM MQ configuration files does not mean that the password is secure or protected. It only prevents the password from being easily recovered by someone who can access the encrypted password, but does not know the encryption key. IBM MQ processes require access to both the encrypted password and the decryption key to obtain the clear text password for use. Both these items of data must be stored on the file system in a location that is accessible to IBM MQ. Anyone who encrypts a password that is placed in a configuration file also requires access to the encryption key. If an attacker has access to the same set of files as IBM MQ, applying AES encryption to the password therefore provides only a minimal level of protection.

Nonetheless, encrypting passwords at rest is important to consider as it prevents the accidental disclosure of passwords and enables the sharing of configuration files, if the decryption key is not also shared.

In addition to ensuring that the file that contains the decryption key is not shared, care must be taken to ensure that the file is protected from other users on the system. While IBM MQ configuration files can be accessible to all users, restrict the permissions on the file that contains the decryption key to the minimum necessary. The user IDs that IBM MQ processes run as must be granted access to read the file that contains the decryption key. However, it is not necessary to grant access to read the file to a group, or all users on the system.