CONCEPT Cited by 1 source
File-based credential store¶
Definition¶
A file-based credential store is a compliance-substrate pattern where database or service credentials are held in a DBA-provisioned (or operator-provisioned) file on disk rather than being embedded in application configuration files or environment variables. The client reads the credential from the file at connect time; the application configuration points at the file location, never the credential itself.
Canonical wiki instance: Oracle Wallet,
introduced by the 2026-04-09 Redpanda Connect oracledb_cdc
launch post.
Properties¶
- Credential ownership separation. Credentials are provisioned by the DBA / operator / security team; the application developer never handles plain text. Creates a separation-of-duties audit trail.
- No plain-text secrets in config. The application's configuration file contains at most a path and (optionally) an auto-login-wallet selector — never the password itself. Fails fewer security reviews in regulated environments (finance, healthcare, government).
- Redacted password handling. When a password is required to open the credential file (e.g. PKCS#12 wallet), the system consuming the credential treats the password as a secret — redacts it from logs, config dumps, and diagnostic output. Canonical wiki verbatim from the Redpanda Oracle CDC post: "It's treated as a secret field and will be redacted from logs and config dumps."
- Auto-rotation compatibility. Because the config points at the file rather than the credential, rotating the credential is a file-replacement operation — no application redeploy required. (Rotation mechanics are typically DBA-side.)
- Audit-trail friendly. File access + credential rotation live on the DBA's operational audit surface, not the application's. Sibling concept: audit trail at the credential- management layer.
Two common sub-shapes¶
- Auto-login / SSO file. The credential file encodes the
credential and is readable by the client without a password.
Canonical instance: Oracle Wallet
cwallet.sso. - Password-protected file. The file is encrypted with a
password supplied via a secondary channel (environment
variable, secret-manager lookup, etc.). Canonical instance:
Oracle Wallet
ewallet.p12PKCS#12 format.
When to use¶
- Regulated environments (SOC 2, PCI-DSS, HIPAA, FedRAMP) where plain-text credentials in config fail audit.
- Long-lived service accounts that shouldn't rotate on every request (contrast: short-lived credential auth).
- DBA-gated credential ownership — when the security team wants exclusive control over what the connection looks like.
When NOT to use¶
- Short-lived workloads (serverless functions, per-request containers) where rotating-credential models are cleaner — the file-distribution problem becomes its own challenge.
- Environments with mature secret-manager infrastructure (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager) where dynamic-credential-lease models provide better audit trails and shorter credential lifetimes.
Composition with SSL / TLS¶
In the Oracle Wallet instance, SSL is enabled automatically when the client connects via wallet. The wallet + SSL pair replaces the two separate concerns (authentication + channel encryption) that would otherwise each need configuration — a canonical compliance-substrate composition where the two concerns are entwined by design.
Comparison with adjacent substrates¶
| Substrate | What it authenticates | Where it lives | Rotation cost |
|---|---|---|---|
| Plain-text user/password in config | User | Config file | Redeploy |
| File-based credential store | User (via wallet) | DBA-provisioned file | File replace |
| Short-lived credential auth | User (via IdP token) | In-memory | Per-request |
| FIPS module | Cryptographic operations | OS library | Vendor upgrade |
The four address different axes (long-lived identity, short- lived identity, crypto operations) and compose rather than substitute.
Seen in¶
- sources/2026-04-09-redpanda-oracle-cdc-now-available-in-redpanda-connect
— canonical wiki introduction of the file-based credential
store concept via Oracle Wallet on
the CDC-client side of the Redpanda Connect Oracle CDC
connector. Canonical verbatim: "Oracle Wallet is the
standard answer: a file-based credential store provisioned
by the DBA that the client uses instead of a username and
password." Two wallet formats disclosed:
cwallet.sso(auto-login, no password) andewallet.p12(PKCS#12, password-protected).
Related¶
- systems/oracle-wallet — canonical wiki instance.
- systems/oracle-database — source of wallets.
- systems/redpanda-connect-oracle-cdc — canonical consumer.
- concepts/short-lived-credential-auth — the rotating- credential alternative.
- concepts/fips-cryptographic-boundary — sibling compliance substrate at the crypto layer.
- concepts/audit-trail — the DBA audit surface that file- based stores compose with.
- patterns/external-credential-store-with-principal-rewrite — adjacent pattern at the credential-gateway altitude.