Hiding or encrypting SMTP password required in app.yml

My group at work is testing discourse. There have been concerns raised about the requirement in the yml file for a typed password to access an smtp server. How secure is this? Is there an alternative in which the stmp password is stored in an encrypted way?

You can make your SMTP server allow connections without password, and check for a IP white list, for example.


It’s available only to people with root access to the server. If you don’t trust people who have root access to your server, then you have more profound problems than worrying about whether they have access to an SMTP password.


Also, this cannot be fixed: Discourse needs the password to provide it to the SMTP server – so no matter how you store it, there must be a way to read it. (This is similar to how web servers need the private key to their SSL certificate.)


:thinking: if it is encrypted, how would Discourse decrypt it?


I’ve seen this solved. But the solution is ugly (in the sense that I wouldn’t recommend it for a standard install).

The trick: encryption key in a shared memory location, supplied at boot time by a human.

This was the recommended way to use a credit card number storage tool I worked with a few years ago.

But if it’s in memory, surely a root user could still get access to it. (Granted it’s significantly more effort, but still)

1 Like

Yes. It’s not 100% secure, but it is also not something you could find with access to the backups.

1 Like