Is there a way to hide plaintext passwords in Redis configuration files

[tentosleep]

For security reasons, is there any way to hide the plaintext password in Redis configuration files, such as requirepass and masterauth

[ShooterIT]

I think maybe you can use ACL instead of the plaintext password

[tentosleep]

ACL is a good way,but actually,I have already used this configuration.However, even if you use ACL configuration, you cannot leave 'requirepass' blank. Besides, even though you can comment out' requirepass', how can we solve the plaintext configuration of 'masterauth' in master-slave mode. All in all, that's the issue that bothers me.

[ShooterIT]

how can we solve the plaintext configuration of 'masterauth' in master-slave mode.

Oh, currently we must use plaintext since replica need use plaintext password when connecting master, just like normal clients

[tentosleep]

Thank you very much!!!
I tested the ACL function and discovered that it can indeed solve the plaintext issue of "requirepass", but the plaintext issue of masterauth still cannot be resolved. Even if ACl can be used to set the connection user of the slave node in the master node, such as "acl setuser slave on # ciphertext password, the configuration of the slave node still requires masteruser and masterauth, which must be in plaintext. I am curious is there any way to solve this problem in the future? Since Redis configuration files can read the client access password of ciphertext, the master-slave connection password of the password maybe also refer to this method.

[ShooterIT]

Oh, currently we must use plaintext since replica need use plaintext password when connecting master, just like normal clients

@tentosleep as i said above, requirepass is to check clients' password, so we can verify if the client password checksum is equal to the checksum in conf file. but for master, replica is a client, so replica still need plaintext word to auth with master.

[seppo498573908457]

There are others too, like the password for certificate private key "tls-key-file-pass".

Redis will return plain text secrets and passwords through config get command.

This would be a critical security issue in any professionally plausible software.

[ShooterIT]

Redis will return plain text secrets and passwords through config get command.

not sure, maybe we can support to return the SHA of the passwords instead of plain text