JFR: Scrubbing sensitive information from events
Erwan Viollet
erwan.viollet at gmail.com
Mon Jun 2 13:30:19 UTC 2025
Hello,
I am currently looking into how to remove sensitive information from JFR
events. The main events that typically contain sensitive information:
jdk.SystemProcess, jdk.InitialSystemProperty, jdk.JVMInformation.
Passwords from command lines can typically be found in these events.
Dropping these events altogether is not ideal, as we need them to make
relevant performance recommendations to users (e.g. suggesting JVM or
system setting adjustments).
Dropping them or scrubbing them on the backend side (after the fact)
requires decompressing and re-writing these events, which is wasteful in
terms of both compute and storage. The approach is not perfect, as we still
end up intaking and temporarily storing sensitive information.
Ideally, we would like to be able to scrub or redact only the sensitive
fields within these events (for example, using a simple regex or
pattern-based rule), rather than dropping the whole event. We also want to
avoid handling this only after the event has already been written to the
JFR file, as that does not fully mitigate the risk of exposing sensitive
data.
At present, it appears there is no public API or supported mechanism to
intercept or scrub JFR events in-process, before they are persisted. What
would you think of an API accepting custom scrubbing patterns so that
sensitive data never leaves the JVM in an unredacted state?
Are there any plans or discussions in this area? I am fairly new to the JFR
world, so it is likely that I missed previous discussions around this.
Thank you, Best regards,
Erwan Viollet,
Profiling team, Datadog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/hotspot-jfr-dev/attachments/20250602/7e80ff7a/attachment.htm>
More information about the hotspot-jfr-dev
mailing list