Documentation Index

Fetch the complete documentation index at: https://kb.lasernetgroup.com/llms.txt

Use this file to discover all available pages before exploring further.

Encrypt the Lasernet Keep Datasource Password

  • Updated on Apr 21, 2026
  • Published on Nov 28, 2025
  • 2 minute(s) read
  • Sunil Panchal
 Prev Next

By default, the password that Keep uses to connect to its datasource is stored as cleartext.

To mitigate this security risk, Keep can store an encrypted password. This ensures that the password is not revealed when Keep configuration files are viewed or shared.

Note

A Keep system’s datasource is a database, so the subject of this guide is the database connection password.

Note

This guide applies only to Keep systems running in standalone mode.

In summary, the implementation process for encrypting the Keep datasource password is:

  1. Complete prerequisite steps.

  2. Install the custom Wildfly login module.

  3. Generate an encrypted password.

  4. Configure Keep.

  5. Start Keep.

The steps are described in detail below.

Prerequisite Steps

Download the Required Files

To implement datasource password encryption, you will need the following components:

  • efs-pbetool.jar: A CLI tool that encrypts the password.

  • pbeloginmodule-1.0.1-module.zip: A ZIP archive that contains the Wildfly module that decrypts the password at runtime.

These components are packaged into a single ZIP file. This package includes PbeLoginModule-1.0.1.

https://lngsupportdownloads.blob.core.windows.net/autoformdm/Tools/pbeloginmodule-1.0.1-dist.zip

Back Up the Current Keep Configuration File

Locate the standalone.xml Keep configuration file and make a backup copy of it. This file is in the \standalone\configuration directory of the Wildfly application server.

For example, if Keep is installed to create a node named Production and it is installed to its default location, the configuration file is C:\Program Files\Formpipe Software\Lasernet Keep\Server_11.0 - Production\wildfly-22.0.1.Final\standalone\configuration\standalone.xml.

Install the Custom Wildfly Login Module

To install the password decryption module:

  1. Open the ZIP file that you downloaded and then find pbeloginmodule-1.0.1-module.zip within it.

  2. Extract pbeloginmodule-1.0.1-module.zip to the modules directory of the Wildfly application server.

    Note

    For example, if Keep is installed to create a node named Production and it is installed to its default location, unpack the ZIP file’s contents to C:\Program Files\Formpipe Software\Lasernet Keep\Server_11.0 - Production\wildfly-22.0.1.Final\modules\.

The Wildfly application server’s directory structure will now include a \modules\com\formpipe\tools\main directory.

Generate an Encrypted Password

In summary, during this part of the process you use the efs-pbetool CLI tool to encrypt the password. After the tool outputs the encrypted password, make a note of it because you will need the encrypted password during the next stage of this process.

  1. Open the ZIP file that you downloaded and then extract efs-pbetool.jar from it.

  2. Depending on whether you want to use the default encryption key or you want to provide one, follow the instructions in the appropriate following section:

    Note

    In the commands in the following sections, substitute <db-password> for the datasource password.

  3. Make a note of the encrypted password that efs-pbetool.jar generates.

Use the Default Key to Encrypt the Password

Run the following command: java -jar efs-pbetool.jar <db-password>

Use a Provided Key to Encrypt the Password

If you want to provide your own encryption key to encrypt the password (instead of using the default key), follow these steps:

  1. Generate the key value that you want to use.

  2. Add the key to a file named encryption.key.

  3. Run the following command. Substitute <path to encryption.key file> for the path to the encryption.key file that you created.

    java -jar efs-pbetool.jar <db-password> <path to encryption.key file>

    Note

    The path must be an absolute path that contains / (forward slashes). UNC paths are not supported.

Configure Keep

This part of the process adds the encrypted password to the Keep configuration and configures Keep to decrypt the password.

Locate Readme.md in pbeloginmodule-1.0.1-dist.zip and follow the instructions in the ### Modify the datasource configuration part of that file. The process involves running a script that makes the necessary changes to Keep.

Start Keep

Start Keep. It will read the encrypted password from the configuration file, decrypt it, and then use the password to connect to the datasource.

Troubleshooting and Rollback

If you encounter any issues, check the server logs for relevant messages.

If necessary, use the backup of the unmodified standalone.xml file to revert the configuration changes.

Was this page helpful? Let us know at knowledgebase.feedback@lasernetgroup.com