Hardening Security for Secrets

JFrog Platform Administration Documentation


A a set of encrypted parameters (secrets) is used to connect to external resources such as the different databases it uses. While these secrets may be stored in the configuration file, this poses a risk of their being exposed.

To keep secrets safe from exposure, you may pre-load secrets from a temporary file when you startup the system. Once the system has read and successfully used the secrets, the file is deleted.

The snippet below shows an example of the parameters you could include in this temporary file. These are the parameters Artifactory uses to connect to a PostgreSQL database.


While we recommend only including sensitive information such as encrypted connection strings, this file may contain any of the database configuration parameters, and any parameters specified (including environment variables and system properties) will override the corresponding ones in the database configuration file.

To load parameters using this mechanism, place them in the following temporary file before your startup Artifactory:

$JFROG_HOME/artifactory/var/etc/artifactory/.secrets/.temp.db.propertiesGeneric Directory Layout

Execute on every restart of Artifactory

Since the temporary file is deleted when Artifactory starts, you need to replace the temporary file each time you restart Artifactory.