Hiding/Encrypting database password in the application.properties file in a simple and secure way using spring-boot-jasypt
1.Introduction
Java Simplified Encryption also knows as Jasypt is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.
It provides integration into Spring-based applications and also transparently integrable with Spring Security and many other frameworks.
2. Adding Jasypt dependency
Now when it comes to adding Jasypt dependency there are multiple ways to do. It is totally up to you which way you want to go.
2.1 Remove Spring boot’s core dependency and add Jasypt enabled spring boot core dependency.
Remove below from your project which is only deal with spring boot core
Add below Jasypt enabled spring core which includes spring boot + jayspt enabled with this you don’t need to do anything in your project.
@EnableAutoConfigurationannotation is enough to get going.
2.2 if you don’t use jasypt spring starter dependency then you can go with alternate just add below dependency
And annotation your main configuration class with @EnableEncryptableProperties.
That is it. Now spring boot will enable encryptable properties across the entire Spring Environment.
3. Creating an encrypted key-
input: It is the actual password that you want to hide.
password: A secret key that is used to encrypt the actual input which will later be used to decrypt the password. So you need to note down this key for future decryption.
PBEWithMD5AndDES: A password-based version of the DES algorithm which uses an MD5 hash of the specified password as the encryption key
Update-
In version 3.0.0+ jasypt started using
PBEWITHHMACSHA512ANDAES_256algorithm as default encryption algo so you may face error if you see use same algorithm what we are using herePBEWithMD5AndDESSo either usePBEWITHHMACSHA512ANDAES_256algo as default or add below properties to fix the issue.
The error would be something like —
Unable to decrypt: ENC(MyEncryptedPass). The decryption of Properties failed, make sure encryption/decryption passwords matchTo fix this problem you will have to add two properties in your application.properties file.
jasypt.encryptor.algorithm=PBEWithMD5AndDES
jasypt.encryptor.iv-generator-classname=org.jasypt.iv.NoIvGeneratorFor more details see here
4. Adding encrypted key into application.properties
Now whatever output you get in step #3 in the output section, is your actual property value which is going to be used in application.poperties.
Now before adding that encrypted value, Firstly, you need to know how would Jasypt know that it should be decrypted or not? To distinguish that Jasypt uses a default convention to add that encrypted key inside ENC(<encrypted keys here>)
Example:
Jasypt reads all the properties from application.properties or any classpath properties that you passed. It is not necessary you can only secure only the DB password. In fact, you can secure anything you want You just need to use the prefix ENC( and suffix ) and pass the encrypted key.
We can change the prefix ENC() to a custom name like SEC() or anything that you want but that would lead to the separate topic of discussion.
5. Passing Jasypt secret key in command line argument
Now we need to tell the program to decrypt the encrypted key at run time when needed. To do that we need to pass that secret key into our application. There as various way we can do that —
5.1 $mvn -Djasypt.encryptor.password=secretkey spring-boot:run
5.2 export JASYPT_ENCRYPTOR_PASSWORD=secretkey and then run your application a simple java application.
5.3 (Using STS/Eclipse)Right click on main class > Run as > Run configuration and pass secret key in VM argument like below
5.4 Using spring cloud vault: This is the most secure way to do that. Please follow given the link to read how to secure it using spring cloud vault.
6. Summary
So far we have seen how easy it is to encrypt passwords or any text that we want to hide. But this is the most simple form of implementation which is enough to get going. But sometimes we come across a situation where we need to customize some of its functionality as per the application needs. So, In that case, I would like to refer you to go through the document and you will get so much information which I have not mentioned here.
Likes/comments are appreciated.
👉🏼 Check out my next post on how to Integrate Spring Security OAuth2 with Facebook along with Form-based login
