Data Encryption on Spring Boot application.properties file

stanley obidiagha
4 min readAug 24, 2020

--

Plain password on the application.properties file
Encrypted password on the application.properties file

An application had been developed using spring boot but the MySQL database password is plain on the application.properties file. There is need to encrypt the password on the application.properties file. I came across jasypt (http://www.jasypt.org/) which can help easily encrypt data on the application.properties file.

1. We will need to encrypt the plain password therefore generating an encrypted password. To achieve this, we will need to follow the steps below
Step 1 : Download the jasypt.jar file (https://mvnrepository.com/artifact/org.jasypt/jasypt). as at the time of download, we are using jasypt-1.9.3.jar

Download jasypt-1.9.3.jar

Step 2 : Open on Terminal the location of the downloaded jasypt-1.9.3.jar file

Step 3 : Run the cmd below
java -cp jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input=<plain password/data to be encrypted> password=<secret key used in encrypting data> algorithm=PBEWITHHMACSHA512ANDAES_256 ivGeneratorClassName=org.jasypt.iv.RandomIvGenerator

Example :
java -cp jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input=sampleDBPassword password=secretKey algorithm=PBEWITHHMACSHA512ANDAES_256 ivGeneratorClassName=org.jasypt.iv.RandomIvGenerator

Explanation :
org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI is the Class used to encrypt the input while PBEWITHHMACSHA512ANDAES_256 is the algorithm used in encrypting the input. This algorithm is the default algorithm and it can be changed if you want to. You will have to indicate that on the application.properties file if you not using the default algorithm.

Note that to decrypt an encrypted data we use org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI instead of org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI.

Data Encryption using Jasypt

2. Now that we have the encrypted password, we are to update the spring boot project. To achieve this, we will need to follow the steps below.
Step 1 : Add jasypt dependency to the project but updating the pom.xml (we are assuming it is a maven project)

<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot</artifactId>
<version>3.0.2</version>
</dependency>

Step 2 : We have to enable encrypt-able properties, to do that, add @EnableEncryptableProperties on a configuration class as seen in the screenshot below

Enabling encrypt-able properties

Step 3 : Update the application.properties file to have the encrypted password from spring.datasource.password=sampleDBPassword to spring.datasource.password=ENC(MqYmh7bDl3HSbAjeGMXgx4txWexWO3SrZ32TjQWP1rcEAcDWhZA3N8TZolbcGvJxMKqGuXBoJs27DveKP/ocNA==)

Notice that the encrypted password is wrapped in ENC(), this is important to indicate that the value is encrypted, once seen, it is decrypted else it is assumed to be plain.

Step 4 : But we need to indicate the secret key used in encrypting data so it can be used in decrypting it. we can achieve that by adding the below to the property file

jasypt.encryptor.password=secretKey

Note that there are other ways to indicate this but i choose this because it is most convenient for me.

3. Finally we have it BUT the <secret key used in encrypting data> cannot be plain on the application.properties file, it defeats the purpose of encrypting the password in the first place.

Therefore, we decided to save the password on the system environment as a variable. Saving as System environment variable differ based on the operating system used. Here is how you can on Mac and Windows.

Mac
Run the following on Terminal
Step 1 : run cd ~/
Step 2 : run open -e .bash_profile
this will open the .bash_profile file where the variable is created and set by adding
export SECRET_ENCRYPTION_KEY=secretKey
Step 3 : Press CMD+S to save, then you can close it.
Step 4 : you can confirm, by running “printenv” on Terminal. That’s it, you are good

Note that if .bash_profile file is not available, it has to be created by running
touch .bash_profile

Windows
Search for “Edit the System environment variables

Search for “Edit the System environment variables

Click on “Environment Variables”.

Click on “New…”

Enter the variable name and value. Then click OK.

Finally the Spring boot project application.properties file will be like this.

Complete application.properties file when password is encrypted

Note that if you are running your application from IntelliJ IDEA, you might need to restart IntelliJ IDEA for your application to fetch the new system environment variable. Thank you.

--

--

Responses (1)