A secure way to encrypt any password in the config file in a Spring Boot project

Spring boot is a Java-based framework to develop microservices in order to build enterprise-level applications.

You often come across developing projects where you have to connect to databases like MongoDB, etc and store the authentic password of DB connection in the config file of spring boot project (application.yml or application.properties). Even passwords or tokens required for Authorization to make other API call are also stored in the same way.

You can actually refrain from adding the actual password in the config file and use ‘jasypt-spring-boot’, a java library.

What is Jasypt?

Jasypt, Java Simplified Encryption provides encryption support for property sources in Spring Boot Applications. It will help you to add basic encryption features to your projects with very fewer efforts and without writing any code !! Yes, you hear me right, No Code…just a few additions in your project here and there. Springboot is a very powerful framework that will help you to add encryption capability without implementing any cryptography method. Jasypt is highly configurable.

Img Src : Google

Steps To Add Encryption Using Jasypt :

STEP 1 → Add maven dependency of jasypt

In the pom.xml file add maven dependency which can be found easily at maven repository. ( I have used jasypt-spring-boot version 2.0.0 as I found it stable and was facing issues with version 3.0.0)

STEP 2 → Add annotation in the Spring Boot Application main Configuration class

@EnableEncryptableProperties annotation needs to be added to make the application understand the encryptable properties across the entire Spring Environment.

STEP 3 → Decide a secret key to be used for encryption and decryption

The secret key (You can think of it as a salt which is used in cryptographic methods) is used to encrypt the password and later can be used to decrypt the encrypted value to get the actual password. You can choose any value as the secret key.

STEP 4 → Generate Encrypted Key

The encrypted key can be generated through either of the following 2 methods :

4.1. Use the Jasypt Online Tool :

This link can be used to generate an encrypted key by passing the chosen secret key.

The password to encrypt: abcd1234

Select type of encryption: Two-way encryption (PBEWithMD5AndDES by default is used)

Secret Key: hello (It can be any value)

Encrypted String : kNuS1WAezYE7cph7zXVTiPSQSdHTx7Kv

You can actually use the tool to encrypt and check the encrypted key by decrypting it.

4.2. Use the jasypt Jar :

You can download the jasypt jar file from the maven repository and run it through the following command :

java -cp /<Path where the jar is located>/jasypt-1.9.3/lib/jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input=”xyz123" password=secretkey algorithm=PBEWithMD5AndDES

Following is the significance of command-line parameters passed to run the jar :

1. input: abcd1234 (Actual password to be encrypted)
2. password: hello (the secret key chosen by you)
3. algorithm: PBEWithMD5AndDES (default algorithm used)
4. OUTPUT : scEjemHosjc/hjA8saT7Y6uC65bs0swg (Encrypted value of input)

Note: Though the encrypted value ie. Encrypted String & OUTPUT in 3.1 and 3.2 respectively are different, as the secret key is the same, the decryption will result in the same value (abcd1234) in both the cases.

STEP 5 → Add the encrypted key in the config file (application.yml or application.properties)

Now instead of adding the actual password ie. “abcd1234” as per the above eg., you need to add the encrypted value generated by either of the above methods. But how will the jasypt dependency understand that the particular property of the config file needs to be decrypted? Hence to make Jasypt aware of your encrypted values, it uses a convention which you need to add in the following format:

ENC(<encrypted key>)

ENC(scEjemHosjc/hjA8saT7Y6uC65bs0swg)

MongoDB password is encrypted

In the above image, the encryption of the database password is done. You can use it in any scenario where you have to hide the actual password.

Step 6: Secret key chosen needs to be passed to decrypt at runtime

You need to make the Jasypt aware of the secret key which you have used to form the encrypted value. Hence following are the different methods to pass the secret key:

6.1. Pass it as a property in config file. Run the project as usual and the decryption would happen.

6.2. Run the project with the following command :

$mvn-Djasypt.encryptor.password=<secretkey> spring-boot:run

$mvn-Djasypt.encryptor.password=hello spring-boot:run

6.3. You can export JASYPT_ENCRYPTOR_PASSWORD=<secretkey>

JASYPT_ENCRYPTOR_PASSWORD=hello

Run the project in the usual manner.

CONCLUSION

It is sometimes necessary to hide the confidential passwords which you would not like to expose in the code. Hence jasypt is an easy and appropriate way to achieve this in any Spring Boot application. Follow the above 6 steps and you are ready to go…

#tech #java #springboot