![[8.5.5.18 or later]](../images/ng_v85518.svg)
Encrypting passwords by using AES
You can encrypt passwords in the client environment and the server environment by using Advanced Encryption Standard (AES). You can create and enable an AES custom key manager when the default key manager does not implement a specific requirement for your needs.
Before you begin
- Before you encrypt your passwords, back up your configuration files to prevent the loss of information due to an unexpected failure.
- Understand the limits that AES password encryption provides to protect your passwords.
- When you encrypt a password in the configuration and properties files, the encryption does not guarantee that the password is secure or protected. The encryption means only that someone who can see the encrypted password, but does not know the encryption key, cannot easily recover the password.
- You must store the encrypted password and the decryption key on a file system that is accessible to the application server runtime environment so that the application server can access them. Anyone who encrypts a password that is placed in the configuration files must use the encryption key to do so.
- The key for AES encryption is stored in the aesKey.jceks file. Various parameters that require password encryption are stored in the passwordUtil.properties file. If an attacker has access to these two files on a server instance, an AES encrypted password is no more secure than an exclusive-OR (XOR) encoded password. The exclusive-OR (XOR) encoding is the default encoding for password protection.