Encrypt template parameters that were marked as hidden before storing them in database.
Heat template parameters can be marked as hidden, but currently these values are stored in database in plain text.
A template author currently marks a parameter as hidden so that it will not be logged or displayed to the user in user interfaces.
The problem itself is that these are probably sensitive pieces of data and thus it would provide some safety against a database attacker if they were encrypted in the database.
Leaving sensitive customer data at rest unencrypted provides many more options for that data to get in the wrong hands or be taken outside the company. It is quick and easy to do a MySQL dump if the DB linux system is compromised, which has nothing to do with Heat having a vulnerability. Encrypting the data helps in case if a leak of arbitrary DB data does surface in Heat.
Instead of encrypting hidden parameters, we could encrypt all the parameters as a dictionary.
Encrypt full disk where entire MySQL database is being stored or encrypt files where specific tables are stored.
Another alternative is to use CryptDB:
Integrate Barbican with Heat and use Barbican to store secrets.
Enter search terms or a module, class or function name.