Rundeck: Prevent leaking encryption password to job step executions

Is your feature request related to a problem? Please describe.
I'm happy that Rundeck supports key and configuration encryption out of the box with the JasyptEncryptionConverterPlugin. However, I'm not able to configure the encryption passwords without leaking the passwords in one way or another.

According to the documentation, I can pass an encryption password to the plugin in three different ways:

1. Specifying the password directly in the rundeck-config.properties file by setting password
2. Specifying the name of a system property in rundeck-config.properties by setting passwordSysPropName
3. Specifying the name of an environment variable in rundeck-config.properties by setting passwordEnvVarNam

In each case, the encryption password is leaked to any user who is able to configure jobs in Rundeck which run on localhost, e.g.

1. Execute cat /etc/rundeck/rundeck-config.properties: passwords are leaked as they are stored in clear-text
2. Run service rundeckd status: passwords are leaked as they are available via the properties set as command-line parameters. If the system properties were be provided as a file, the rundeck user would require access to this file resulting in the leak described in 1.
3. Run printenv: passwords are available in the environment variables printed by printenv.

Thus, I'm not able to prevent a malicious user (or just a curious user) from reading the encryption password. This issue was already raised by another user at stackoverflow: https://stackoverflow.com/questions/52745602/rundeck-key-storage-passwords-saved-in-plain-text

Describe the solution you'd like
The passwords should only be available to the process running Rundeck (and none of its sub-processes) and the root user. I don't think this can be achieved via system properties, but it would be possible with environment variables.

Lets assume we have created the file /etc/default/rundeckd with owner root and mode 0400. The rundeck user won't be able to read this file. It will, however, be sourced by /etc/rundeck/profile while the service is started in the initd file (/etc/init.d/rundeckd).

Within /etc/default/rundeckd we define our encryption password by specifying

export ENC_PW=my-secret

To use this password, we have to configure in /etc/rundeck/rundeck-config.properties

rundeck.storage.converter.1.type=jasypt-encryption
rundeck.storage.converter.1.path=keys
rundeck.storage.converter.1.config.encryptorType=custom
rundeck.storage.converter.1.config.passwordEnvVarName=ENC_PW
rundeck.storage.converter.1.config.algorithm=PBEWITHSHA256AND128BITAES-CBC-BC
rundeck.storage.converter.1.config.provider=BC

This already works perfectly fine. The password specified in /etc/default/rundeckd is picked up by the converter plugin, but is not accessible via file reads by the rundeck user. Unfortunately, the environment variables are passed to the sub-processes of the Rundeck process, i.e. they can be seen by executing printenv, for instance.

Two possible solutions for this issue come to my mind:

• Don't pass any environment variables to sub-processes for executing a job's steps on localhost
• Allow to define a environment variable blacklist which is applied before creating a sub-process for executing a job's steps on localhost

The latter approach is preferable because it is backwards compatible and less invasive. It would allow to prevent leaking sensitive information to job step executions.

Describe alternatives you've considered
I thought about forcing the users to run jobs always via SSH (run on localhost by establishing an SSH connection to localhost), but apparently, a user can always choose to run a job locally.