Feature Request: Encrypt TabMon database password in config file

[ytbchan]

In the TabMon.config file, the password field displays clear text.

It will be good to be able to encrypt it like in the Tableau Server workgroup.yml file. Internal audit of some customers have concerns seeing any passwords in text form.

[danjrahm]

Marking this as a feature request.

[jmangue]

I am a big fan of additional security wherever possible, but I do have just a couple of thoughts I wanted to share on why this shouldn't be a deal-breaker for a cautious sysadmin..

• First and foremost -- The typical (and recommended) TabMon configuration has TabMon running on the same machine as its database, which means this password will never be transmitted over the network. Furthermore, any user with enough access on the machine to view the TabMon.config file in the clear would already have enough access to modify passwords or directly access data in Postgres.
• Many open-source applications store passwords in the clear (i.e. Redis).
• This password is only used for the TabMon database, which contains only performance monitoring data and no PII or other truly sensitive data.

[jmangue]

Updating title to reflect feature request status.

[ghost]

Is there a reason that Microsoft's Encrypted File System won't meet requirements? If TabMon is running as a user account, you can encrypt the configuration file with built-in tools and the service will still be able to read the credentials. This method encrypts the file such that you need to be logged on to the server with the TabMon service account, or if the server is in AD have access to any recovery escrow keys.