Password Manager module

Security and authentication Bundled: Community Edition

Edition CE




Maven site



The Password Manager module stores encrypted passwords and allows you to retrieve their plain text value programmatically. This is useful for connector modules that need to authenticate to third-party systems with a plain text password.

Once the password is stored, an AdminCentral user can’t see the password in plain text. The plain-text value can only be retrieved programmatically.

The module installs the Passwords app that centralizes the management of passwords in the administration of Magnolia. The passwords are stored in a dedicated workspace called keystore.

Installing with Maven

Bundled modules are automatically installed for you.

If the module is unbundled, add the following to your bundle including your project’s <dependencyManagement> section and your webapp’s <dependencies> section. If the module is unbundled but the parent POM manages the version, add the following to your webapp’s <dependencies> section.

  <version>1.2.8</version> (1)
1 Should you need to specify the module version, do it using <version>.

The keystore workspace

The passwords are stored in a dedicated workspace called keystore.

Password manager module

The mgnl:passwords node type

The module provides a specific node type for the passwords called mgnl:password.

Password Manager key pair

In Magnolia 6.2.44 and later, the Password Manager module key pair is no longer linked to the activation key pair.

When upgrading, you must add the magnolia.password.manager.key.location property to your file. This property enables the system to generate the key pair file for the Password Manager.

The location of this file should typically be the same as where the file is. The location must be both accessible by Magnolia and persisted. If no file is present, the Password Manager can’t create passwords. If the modules/password-manager-core@publicKey value isn’t present in the JCR, the Password Manager can’t decrypt passwords.

Password Manager uses a dedicated key pair. The public key that’s used for decryption must be present in modules/password-manager-core@publicKey.

If you are using docker, you must ensure that the new key pair file is mounted to an external volume. Otherwise the key pair is regenerated on the next deployment and the passwords won’t work.

If you create a new public instance, the public keys need to be synchronized. To synchronize them, you can publish them on the public instances or manually add them to the public instance config workspace.

The key pair is also stored on the local file system in a file called by default. The path to this file is configured in the Magnolia property magnolia.password.manager.key.location. The file contains both the private and the public keys used to encrypt and decrypt passwords stored by the Password Manager.

If you want to change the Password Manager key pair:

  1. In the file, check the location of the password manager key pair file set in magnolia.password.manager.key.location.

  2. Go to your password manager key pair file and update the public and private key values in the file.

  3. Copy and paste the updated public key value from the file into the /modules/password-manager-core@publicKey property. Use the Configuration app to do so.

  4. Reenter any passwords in the Passwords app.

  5. Publish both the public key and the updated passwords to the public instances.


Content can be exported and imported for bootstrapping like any other workspace. However, the same encryption key must be used to decrypt the imported passwords as well as encrypt the export.


See the Passwords app page.


DX Core



This widget lets you know where you are on the docs site.

You are currently perusing through the DX Core docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules