Contents x
      Encrypt the Lasernet Keep Datasource Password
      • 28 Nov 2025
      • 3 Minutes to read
      • Contributors
      • Print
      • PDF
      Contents

      Encrypt the Lasernet Keep Datasource Password

      • Updated on 28 Nov 2025
      • 3 Minutes to read
      • Contributors
      • Print
      • PDF
      Article summary

      By default, the password that Keep uses to connect to its datasource is stored as cleartext.

      To mitigate this security risk, Keep can store an encrypted password. This ensures that the password is not revealed when Keep configuration files are viewed or shared.

      Note

      A Keep system’s datasource is a database, so the subject of this guide is the database connection password.

      Note

      This guide applies only to Keep systems running in standalone mode.

      Note

      This page contains draft documentation for beta software. Until the final release of Lasernet Keep 11.0, the content on this page is subject to revision.

      In summary, the implementation process for encrypting the Keep datasource password is:

      1. Complete prerequisite steps.

      2. Install the custom Wildfly login module.

      3. Generate an encrypted password.

      4. Configure Keep.

      5. Start Keep.

      The steps are described in detail below.

      Prerequisite Steps

      Download the Required Files

      To implement datasource password encryption, you will need the following components:

      • efs-pbetool.jar: A CLI tool that encrypts the password.

      • pbeloginmodule-1.0.1-module.zip: A ZIP archive that contains the Wildfly module that decrypts the password at runtime.

      These components are packaged into a single ZIP file. This package includes PbeLoginModule-1.0.1.

      https://prsupportdownloads.blob.core.windows.net/autoformdm/Tools/pbeloginmodule-1.0.1-dist.zip

      Back Up the Current Keep Configuration File

      Locate the standalone.xml Keep configuration file and make a backup copy of it. This file is in the \standalone\configuration directory of the Wildfly application server.

      For example, if Keep is installed to create a node named Production and it is installed to its default location, the configuration file is C:\Program Files\Formpipe Software\Lasernet Keep\Server_11.0 - Production\wildfly-22.0.1.Final\standalone\configuration\standalone.xml.

      Install the Custom Wildfly Login Module

      To install the password decryption module:

      1. Open the ZIP file that you downloaded and then find pbeloginmodule-1.0.1-module.zip within it.

      2. Extract pbeloginmodule-1.0.1-module.zip to the modules directory of the Wildfly application server.

        Note

        For example, if Keep is installed to create a node named Production and it is installed to its default location, unpack the ZIP file’s contents to C:\Program Files\Formpipe Software\Lasernet Keep\Server_11.0 - Production\wildfly-22.0.1.Final\modules\.

      The Wildfly application server’s directory structure will now include a \modules\com\formpipe\tools\main directory.

      Generate an Encrypted Password

      In summary, during this part of the process you use the efs-pbetool CLI tool to encrypt the password. After the tool outputs the encrypted password, make a note of it because you will need the encrypted password during the next stage of this process.

      1. Open the ZIP file that you downloaded and then extract efs-pbetool.jar from it.

      2. Depending on whether you want to use the default encryption key or you want to provide one, follow the instructions in the appropriate following section:

        Note

        In the commands in the following sections, substitute <db-password> for the datasource password.

      3. Make a note of the encrypted password that efs-pbetool.jar generates.

      Use the Default Key to Encrypt the Password

      Run the following command: java -jar efs-pbetool.jar <db-password>

      Use a Provided Key to Encrypt the Password

      If you want to provide your own encryption key to encrypt the password (instead of using the default key), follow these steps:

      1. Generate the key value that you want to use.

      2. Add the key to a file named encryption.key.

      3. Run the following command. Substitute <path to encryption.key file> for the path to the encryption.key file that you created.

        java -jar efs-pbetool.jar <db-password> <path to encryption.key file>

        Note

        The path must be an absolute path that contains / (forward slashes). UNC paths are not supported.

      Configure Keep

      This part of the process adds the encrypted password to the Keep configuration and configures Keep to decrypt the password.

      Locate Readme.md in pbeloginmodule-1.0.1-dist.zip and follow the instructions in the ### Modify the datasource configuration part of that file. The process involves running a script that makes the necessary changes to Keep.

      Start Keep

      Start Keep. It will read the encrypted password from the configuration file, decrypt it, and then use the password to connect to the datasource.

      Troubleshooting and Rollback

      If you encounter any issues, check the server logs for relevant messages.

      If necessary, use the backup of the unmodified standalone.xml file to revert the configuration changes.

      What's Next