Data Encryption on Spring Boot application.properties file
An application had been developed using spring boot but the MySQL database password is plain on the application.properties file. There is need to encrypt the password on the application.properties file. I came across jasypt (http://www.jasypt.org/) which can help easily encrypt data on the application.properties file.
1. We will need to encrypt the plain password therefore generating an encrypted password. To achieve this, we will need to follow the steps below
Step 1 : Download the jasypt.jar file (https://mvnrepository.com/artifact/org.jasypt/jasypt). as at the time of download, we are using jasypt-1.9.3.jar
Step 2 : Open on Terminal the location of the downloaded jasypt-1.9.3.jar file
Step 3 : Run the cmd below
java -cp jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input=<plain password/data to be encrypted> password=<secret key used in encrypting data> algorithm=PBEWITHHMACSHA512ANDAES_256 ivGeneratorClassName=org.jasypt.iv.RandomIvGenerator
Example :
java -cp jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input=sampleDBPassword password=secretKey algorithm=PBEWITHHMACSHA512ANDAES_256 ivGeneratorClassName=org.jasypt.iv.RandomIvGenerator
Explanation :
org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI is the Class used to encrypt the input while PBEWITHHMACSHA512ANDAES_256 is the algorithm used in encrypting the input. This algorithm is the default algorithm and it can be changed if you want to. You will have to indicate that on the application.properties file if you not using the default algorithm.
Note that to decrypt an encrypted data we use org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI instead of org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI.
2. Now that we have the encrypted password, we are to update the spring boot project. To achieve this, we will need to follow the steps below.
Step 1 : Add jasypt dependency to the project but updating the pom.xml (we are assuming it is a maven project)
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot</artifactId>
<version>3.0.2</version>
</dependency>Step 2 : We have to enable encrypt-able properties, to do that, add @EnableEncryptableProperties on a configuration class as seen in the screenshot below
Step 3 : Update the application.properties file to have the encrypted password from spring.datasource.password=sampleDBPassword to spring.datasource.password=ENC(MqYmh7bDl3HSbAjeGMXgx4txWexWO3SrZ32TjQWP1rcEAcDWhZA3N8TZolbcGvJxMKqGuXBoJs27DveKP/ocNA==)
Notice that the encrypted password is wrapped in ENC(), this is important to indicate that the value is encrypted, once seen, it is decrypted else it is assumed to be plain.
Step 4 : But we need to indicate the secret key used in encrypting data so it can be used in decrypting it. we can achieve that by adding the below to the property file
jasypt.encryptor.password=secretKeyNote that there are other ways to indicate this but i choose this because it is most convenient for me.
3. Finally we have it BUT the <secret key used in encrypting data> cannot be plain on the application.properties file, it defeats the purpose of encrypting the password in the first place.
Therefore, we decided to save the password on the system environment as a variable. Saving as System environment variable differ based on the operating system used. Here is how you can on Mac and Windows.
Mac
Run the following on Terminal
Step 1 : run cd ~/
Step 2 : run open -e .bash_profile
this will open the .bash_profile file where the variable is created and set by adding
export SECRET_ENCRYPTION_KEY=secretKey
Step 3 : Press CMD+S to save, then you can close it.
Step 4 : you can confirm, by running “printenv” on Terminal. That’s it, you are good
Note that if .bash_profile file is not available, it has to be created by running
touch .bash_profile
Windows
Search for “Edit the System environment variables”
Click on “Environment Variables”.
Click on “New…”
Enter the variable name and value. Then click OK.
Finally the Spring boot project application.properties file will be like this.
Note that if you are running your application from IntelliJ IDEA, you might need to restart IntelliJ IDEA for your application to fetch the new system environment variable. Thank you.
