JDK-8354469 : Keytool exposes the password in plain text when command is piped using | grep
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8,25
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2025-04-13
  • Updated: 2025-11-03
  • Resolved: 2025-10-15
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 17 JDK 21 JDK 25 JDK 26 JDK 8
11-pool-oracleUnresolved 17-pool-oracleUnresolved 21-pool-oracleUnresolved 25-poolUnresolved 26 b20Fixed 8-poolUnresolved
Related Reports
Blocks :  
JDK-8367348 - Enhance PassFailJFrame to support links in HTML
Blocks :  
JDK-8366261 - Provide utility methods for sun.security.util.Password
Relates :  
JDK-8202917 - keytool should not echo keystore password when output piped through grep
Relates :  
JDK-8361613 - System.console() should only be available for interactive terminal
Sub Tasks
JDK-8369945 :  
Release Note: Enhanced keytool Password Handling When Output Is Redirected - Closed
Description
Keytool exposes the password in plain text when command is piped using | grep. 

Keytool -v -list -keystore storename.jks | grep <word>

This default behavior is an insecure practice, leading to potential leaks especially in shared environments. Some workarounds exist such as using environments variables or password files to avoid unmasked passwords, but still not ideal due to the risk of leaving sensitive data on the disk. We propose:

- Interactive prompt support: Allow secure masked password input when -storepass is omitted (preferred option) 

or 

- Warn on insecure usage: Detect and warn that passwords will be shown in plaintext when piping the output
- Improve documentation: Promote other options such as :file and :env along -storepass for piping
Comments
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk25u/pull/332 Date: 2025-10-22 08:59:50 +0000
22-10-2025
Changeset: a7a3a660 Branch: master Author: Weijun Wang <weijun@openjdk.org> Date: 2025-10-15 20:47:46 +0000 URL: https://git.openjdk.org/jdk/commit/a7a3a660e33fabc025ebe887f5605741be9ca8c3
15-10-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/27196 Date: 2025-09-10 15:43:52 +0000
10-09-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/24805 Date: 2025-04-22 22:43:08 +0000
23-04-2025