Short answer: No. See JRA-31004.
Longer answer:
JIRA has to actually have access to this information to connect to the database. Since it must be algorithmically recoverable by JIRA using a direct algorithm, anything we do to protect it must be reversible, and that amounts to simple obfuscation.
The database is not the only place that we have this problem, and you can see some of my comments about a similar case (LDAP server passwords) in JRA-27457, where I talk about why we can't just hash it and why obfuscating it doesn't really help. I also lay out what I think the long term solution should look like.
I've built a library to make possible the "separation of concerns" that I outline there, and our security team is aware of it. However, making use of it will require some significant changes in all of the products, and it will also complicate the import/export process for Cloud, so this is not likely to progress quickly, but fixing these issues is definitely on our security roadmap.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.