How I can encrypt/decrypt Spring boot server properties [duplicate]

Question

I have a spring boot application that uses SSL. In my properties file I defined a value for my keystore password ,the idea is to not expose the password in the clear so I encrypted the password and i'm looking in spring boot how i can decrypt this password value :

server.port=8443
server.ssl.key-alias=selfsigned_certif
server.ssl.key-password=JDHF7E879E7R79E7D9D7Fkdskjdhdkjsdghjsfdghsgfd
server.ssl.key-store=classpath:ssl-server.jks
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS

In my case I can't use Jasypt because of we should use a specific developped library for encrypt and decrypt the password

Is there a way to implement encryption/ decryption of keystore properties using Spring boot ? Thanks in advance

Answer 1

If you're looking for spring boot related answer I suggest taking a look at spring-cloud-config project.

This project allows managing configurations externally (in filesystem or in git, for example), and among other things has a support for encrypting property values both via symmetric private secret and via public/private key pair

A "protected" Property, in this case, looks like this:

db.password={cipher}AZXCASDAZXC341234ZXCASDFedr453

Where the AZXCASDAZXC341234ZXCASDFedr453 is actually an encrypted value of some password. In order to encrypt it, you should call the "encrypt" method one time, assuming the spring-cloud-config server is running on port 8888 of your machine.

 $ curl localhost:8888/encrypt -d mysecretdbpassword >>AZXCASDAZXC341234ZXCASDFedr453

Here the value of password "mysecretdbopassword" gets encrypted.

The key has to be specified in configurations of the spring-cloud-config microservice itself.

 encrypt.key=ABC123ABC123ABC123

Another option that this service has is an integration with Hashicorp vault, so it also can be a good candidate for keeping the secrets.

Answer 2

Update: There is a similar/better answer to a duplicate question here, as pointed out by Adam in his comment.

---

We did something similar by incorporating the Jasypt tool. It's nicely baked into the Spring eco-system. Basically you encrypt the values with an encryption key (a string) and put the encrypted value in your properties file surrounded by ENC(...). Then you put the encryption key in a specified environment variable on the server where your code is running. You can then map the encrypted values directly into variables with @Value(...).

Another option is not to store the password in your source at all, and instead secure those on the server in environment variables and access them directly at runtime. I think any way you slice it you end up relying on the fact that the server is secure, so it's important that you are confident that your server won't be compromised.