preface

In the Spring Boot project, you should use a lot of configuration properties, which inevitably have sensitive information, such as database account, password, domain name, redis password and so on. For security purposes, sensitive attributes can be encrypted with the Jasypt library.

Introduced dependencies

Here, the author’s environment is Spring Boot 2.1.7, and the Jasypt version cited is 3.0.2, as follows:

<dependency>
        <groupId>com.github.ulisesbocchio</groupId>
        <artifactId>jasypt-spring-boot-starter</artifactId>
        <version>3.0.2</version>
</dependency>
Copy the code

How to encrypt

First of all, add Jasypt’s exclusive configuration attribute, the most basic and most needed attribute password. Tell Jasypt a “salt value”, and it will encrypt and decrypt sensitive configuration attributes according to the provided salt value and the specified encryption algorithm. In addition to specifying salt values, Jasypt provides many more properties, such as the ability to specify encryption algorithms. See Jasypt’s Readme on Github for details.

So how do you encrypt your sensitive configuration after you tell Jasypt the salt value? So far, I know of two ways.

Maven plug-in

Jasypt provides a Maven plug-in that basically encrypts sensitive attribute values. Of course, there are other powerful features of this plug-in that you can delve into on your own.

Add the plug-in to pom.xml:

<plugin>
    <groupId>com.github.ulisesbocchio</groupId>
    <artifactId>jasypt-maven-plugin</artifactId>
    <version>3.0.2</version>
</plugin>
Copy the code

Execute the following command to encrypt sensitive attribute values.

mvn jasypt:encrypt-value -Djasypt.encryptor.password="# $! _" -Djasypt.encryptor.algorithm="PBEWithMD5AndDES" -Djasypt.plugin.value="test"
Copy the code
  • Jasypt. The encryptor. Password, tell jasypt salt value you provide.
  • Jasypt. The encryptor. Algorithm, tell jasypt use which encryption algorithm.
  • Jasypt.plugin. value tells Jasypt what the encrypted value is.

The test class

This way is their own handwriting a test class, in this test class with the test code to perform encryption processing, the output encryption results. Because jasypt-spring-boot-starter is used, by default it provides a StringEncryptor to encrypt and decrypt. You can use StringEncryptor to encrypt sensitive configuration properties.

Configuration properties need to be added to make the test code “aware” when it runs.

jasypt.encryptor.password=# $! _
The default encryption algorithm is not specified
#jasypt.encryptor.algorithm=PBEWithMD5AndDES
Copy the code

The following is an example of the test code:

@RunWith(SpringRunner.class)
@SpringBootTest(classes = Application.class)
public class EncryptTest {
    @Autowired
    private StringEncryptor stringEncryptor;

    @Test
    public void encrypt(a) {
        String encryptStr = stringEncryptor.encrypt("localhost:3306");

        System.out.println(encryptStr);

        encryptStr = stringEncryptor.encrypt("mysql_account");

        System.out.println(encryptStr);

        encryptStr = stringEncryptor.encrypt("mysql_password"); System.out.println(encryptStr); }}Copy the code

How to decrypt

The encrypted attribute value should be replaced according to the required format, for example, the original Redis password attribute should be modified as follows:

spring.redis.password=ENC(ACjcb1s5O0g+yaxSrktQIK3qTTrpwhVojaYDM23pClE=)
Copy the code

ENC(…) It is the identifier when Jasypt decrypts and contains the encrypted value. Jasypt decrypts the encrypted value after seeing this identifier. Of course this ENC(…) The logo is customizable, see the reference link at the end.

Before decryption, Jasypt also needs to be told the salt value and encryption algorithm used for encryption. So don’t forget the two properties mentioned above.

jasypt.encryptor.password=# $! _
The default encryption algorithm is not specified
#jasypt.encryptor.algorithm=PBEWithMD5AndDES
Copy the code

Encountered anomaly

Since I am using Jasypt version 3.0.2, if you are using Jasypt version 3.0.2, you should experience the following exceptions using the above encryption and decryption methods. You need to install JCE in your local JDK.

Because Jasypt 2 x version, Jasypt encryptor. The default value is PBEWithMD5AndDES algorithm, and (3) x version, the default value of this property for PBEWITHHMACSHA512ANDAES_256.

Then you can install JCE, or specify jasypt. The encryptor. Algorithm PBEWithMD5AndDES value.

org.jasypt.exceptions.EncryptionOperationNotPossibleException: Encryption raised an exception. A possible cause is you are using strong encryption algorithms and you have not installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files in this Java Virtual Machine

	at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.handleInvalidKeyException(StandardPBEByteEncryptor.java:1207)
	at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.encrypt(StandardPBEByteEncryptor.java:996)
	at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.encrypt(StandardPBEStringEncryptor.java:655)
	at org.jasypt.encryption.pbe.PooledPBEStringEncryptor.encrypt(PooledPBEStringEncryptor.java:465)
	at com.ulisesbocchio.jasyptspringboot.encryptor.DefaultLazyEncryptor.encrypt(DefaultLazyEncryptor.java:110)
Copy the code

Further security considerations

Basically Jasypt encryption and decryption is simply described, in fact Jasypt is dependent on the provided salt value and the specified algorithm for encryption and decryption. Assuming this salt value is exposed, the so-called encryption is also insecure.

The author currently has two ideas to further improve encryption security. Attribute values that Jasypt depends on for encryption and decryption should not be directly exposed in the property file. You can configure them in environment variables or parameters on the command line.

Configure environment variables in Linux

For details on how to configure environment variables in Linux, see here.

Spring Boot Application configures Boot parameters

The author uses the runnable JAR package packaged by the Spring Boot Maven plug-in, which can be easily configured as a service in the online environment. Add startup parameters in the corresponding. Conf file as follows:

RUN_ARGS="--jasypt.encryptor.password=&$! _ --jasypt.encryptor.algorithm=PBEWithMD5AndDES"
Copy the code

See here to learn how to deploy the Spring Boot application.

A phenomenon to be studied

The author uses the following Jasypt attribute configuration to encrypt the output of “123456” twice respectively, and the obtained values are different.

jasypt.encryptor.password=# $! _
The default encryption algorithm is not specified
jasypt.encryptor.algorithm=PBEWithMD5AndDES
Copy the code

The result of two encryptions is:

  • I3H2AZaME7KgI5d0JHWR/27MN1WFRsJd
  • vCuFGjOUzWYYgIiNniuH2HxC7h2EB7BW

Take the results of these two times to decrypt respectively, whether the results are “123456”? Pro test, yes!

reference

  • Spring Boot Configuration with Jasypt
  • jasypt-spring-boot
  • Spring Boot Configuration – Configures information encryption
  • Use Jasypt to encrypt the SpringBoot configuration file