Java configuration file password encryption tool: jasypt

An overview of the

Some projects may need to encrypt some properties in the configuration to prevent leakage, such as some password properties. In Java projects, the Jasypt tool does just that.

The implementation principle is to encrypt the password into ciphertext and add the ciphertext to the configuration file. The runtime reads the ciphertext and decrypts it to get the original text.

Github.com/ulisesbocch…

Encrypt the original need password, similar to the encrypted value: package. TagsJsonName = ENC (BPOpaQk2Uf2Oa + GVrOyxZrt4fAwAL3o0b2Mx1WBC64myVxo5oRVAXlo9dApiDH4F).

The code is then decrypted at runtime using a password that can be placed in a configuration file, system properties, command line, or environment variable. However, it is not recommended to put the password directly into the configuration file.

encryption

Use maven plugin to encrypt and add maven plugin:

<plugin>
  <groupId>com.github.ulisesbocchio</groupId>
  <artifactId>jasypt-maven-plugin</artifactId>
  <version>3.0.3</version>
</plugin>
Copy the code

Encrypts a string:

mvn jasypt:encrypt-value -Djasypt.encryptor.password="the password" -Djasypt.plugin.value="theValueYouWantToEncrypt"

Encryption profile

The configuration file in SRC/main/resources/application. The properties value containing DEC (value) before encryption attribute encryption:

mvn jasypt:encrypt -Djasypt.encryptor.password="the password"

This will automatically replace all DEC attribute values in the configuration file with ENC(encrypted value), for example, sense.password =DEC(secret value) with sense.password =ENC(encrypted).

Decrypts an encrypted string

mvn jasypt:decrypt-value -Djasypt.encryptor.password="the password" -Djasypt.plugin.value="yVrdhoqif3oeZOKsRsNn0OosbpbisEhhBYQdYDG9yViIVzOKxL7Hl5SkkUxrt0XY+ADjMpa+JWE3MGJ5e9b/ZQ=="

Decrypting configuration files

mvn jasypt:decrypt -Djasypt.encryptor.password="the password"

Will the SRC/main/resources/application. The properties of ENC contains the encrypted value after the replacement for the original output to the screen, attention to decrypt will not automatically modify the file.