security - Credentials in the realms export data of keyCloak

Question

As per my understanding , we can do import or export realms data of keycloak by specifying some java opts on keycloak startup.

Regarding data export , the exported realms json data will also the have the credentials? If yes , then it won't cause security issues as anyone can check the credentials by opening the exported json file.

question from:https://stackoverflow.com/questions/65929290/credentials-in-the-realms-export-data-of-keycloak

Answer 1

Regarding data export , the exported realms json data will also the have the credentials?

Yes, if you use the option -Dkeycloak.migration.action=export during the keycloak started up. However, from the Keycloak Documentation:

Keycloak collects user credentials, such as password, OTP codes, and WebAuthn public keys. This information is encrypted and saved in a database, so it is not visible to Keycloak administrators. However, each type of credential can include non-confidential metadata that is visible to administrators such as the algorithm that is used to hash the password and the number of hash iterations used to hash the password.

The same applies to the Json File as long as the passwords are encrypted it is fine.