Password encryption/decryption for logback configuration

Question

I'm using logback's DBAppender to store my logs into an oracle database. I'd also like to add security to my login credentials by encrypting and decrypting my password. So i was recomended a java library jasypt. I have few questions and I'm unable to access http://jasypt.org/ too.

1. Can I use jasypt for encrypting logback.xml's DBAppender database credentials?
2. How will the decryption done on other end(Oracle Database)?

Answer 1

This is a late answer and does not cover all questions. But I wanna share my solution in case anybody else stumbles over here. As for me, I am using LogBack to store logs in my MySQL database. I guess it makes no difference, if you use Oracle or something else, because the connection is done via jdbc and the decryption by jasypt. I assume you know how to use jdbc and jasypt.

This is my example logback.xml:

<configuration>
<appender name="stdout" class="ch.qos.logback.core.ConsoleAppender">
    <encoder>
        <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{5} - %msg%n</pattern>
    </encoder>
</appender>
<appender name="db" class="ch.qos.logback.classic.db.DBAppender">
    // important!! Deliver your own class
    <connectionSource class="com.company.project.Connector">
        <driverClass>com.mysql.jdbc.Driver</driverClass>
        // nothing more to provide here
    </connectionSource>
</appender>

<logger name="com.company" level="ALL"/>

<root level="WARN">
    <appender-ref ref="stdout"/>
    <appender-ref ref="db"/>
</root>

And this is the example Connector class:

// Important to extend DriverManagerConnectionSource
public class Connector extends DriverManagerConnectionSource {

  /**
   * Overrides: getConnection() in class DriverManagerConnectionSource
   */
  @Override
  public Connection getConnection() {

    // I am loading the properties from the resources foler
    try (final InputStream inputStream = this.getClass().getClassLoader().getResourceAsStream("client.properties")) {
      final EnvironmentPBEConfig       config    = new EnvironmentPBEConfig();
      final StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
      final Properties                 props     = new EncryptableProperties(encryptor);

      props.load(inputStream);
      config.setAlgorithm("<algorithm>");
      config.setPassword("<jasypt encryption password>");
      encryptor.setConfig(config);

      return DriverManager.getConnection(String.format("jdbc:mysql://%s/%s?user=%s&password=%s",
                                                       props.getProperty("<ip>"),
                                                       props.getProperty("<db_name>"),
                                                       props.getProperty("<user>"),
                                                       props.getProperty("<pw>")));
    } catch (IOException | SQLException  e) {
      e.printStackTrace();
    }

    return null;
  }
}

Please take in mind, that every encrypting is useless, if someone gets your jasypt password and the encrypted values. Anybody can decrypt it with a bit googling.