0

Recently I have gone through Jasypt API to secure the property file entries. As per Jasypt, in order to decrypt the entry in the property file that was enclosed with ENC(..), we need to use a secure password, a secret key, as shown below (Not a web application):

    encryptor.setPassword("jasypt"); // could be got from web, env variable..

Of course we can configure such password using 

    org.jasypt.encryption.pbe.config.SimplePBEConfig setPassword()

But my question, if we extract the jar file, 3rd party could be able to find out the secret key. How could we ensure security in such cases?

Thanks in advance, JK

HJK
  • 1,382
  • 2
  • 9
  • 19

1 Answers1

0

secret key should be stored in environment variable outside the application.

For example, in your spring configuration file:

<bean id="environmentConfig" class=  
"org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig"  
p:passwordEnvName="APP_ENCRYPTION_PASSWORD" ...

Now, add APP_ENCRYPTION_PASSWORD in the env variable either in OS or app server.

Vikas Sharma
  • 1,235
  • 2
  • 27
  • 53
  • a bit short on details/info: this causes it to go into the Low Quality Post queue which could result in deletion even if it is correct – Ňɏssa Pøngjǣrdenlarp May 31 '14 at 13:57
  • In such when I port the application to different machine, I need to set up the environment variables again, right. Instead, can't we do the following, seems to be more secure. Store the hash of the password and a random value (salt) so that whenever user enter we generate the hash using the stored salt and compare both the hashes. As we cannot obtain reverse hash, it would be more secure. I am new to this area, probably I might be little bit foolish. – HJK May 31 '14 at 14:14
  • IMHO, the problem with the approach is that two password Strings could generate same hash value. For example, Strings "BBBB", AaBB" "BBAa" have same hash value. – Vikas Sharma Jun 01 '14 at 02:11
  • In my application, I connect to a third party system where I need to authenticate. As of now I have placed the user Id and password(plain text) in properties file. Who ever extracts the jar, are able to see the password. Hence I want to encrypt the password. What could be the better approach to you. It is a desk to applicaiton using JavaFX – HJK Jun 02 '14 at 03:12
  • you need to put jasypt secret key in OS environment variable. – Vikas Sharma Jun 02 '14 at 05:31
  • Thanks Vikas for the suggestion – HJK Jun 02 '14 at 08:17