Is there a way to use Spring Cloud {cipher} in Spring Boot application config?

Question

I have a Spring Boot app that is using Spring Cloud Config but I would like to encrypt the Spring Cloud Config password in the Spring Boot apps bootstrap.yml file. Is there a way to do this? Below is an example.

Spring Boot app bootstrap.yml

spring:
  cloud:
    config:
      uri: http://locahost:8888
      username: user
      password: '{cipher}encryptedpassword'

Answer 1

A couple things I've discovered related to this.

If you use bootstrap.yml (or application.yml), the format for the cipher text must enclosed within single quotes:

security.user.password: '{cipher}56e611ce4a99ffd99908d2c9aa1461d831722812e4370a5b6900b7ea680ae914'  

If you use bootstrap.properties (or application.properties), the format for the cipher text must NOT be enclosed:

security.user.password= {cipher}56e611ce4a99ffd99908d2c9aa1461d831722812e4370a5b6900b7ea680ae914

The [reference docs][1] show the yml without the quotes, which I never got to work. SnakeYaml always reported an error:

"expected <block end>, but found Scalar"

Answer 2

There is support for encrypted properties in the config client (as described in the user guide). Obviously if you do it that way you have to provide a key to decrypt the properties at runtime, so actually I don't always see the benefit (I suppose the config file is a bit like a keystore with a special format, so you only have one secret to protect instead of many). Example (application.yml):

integration:
  stores:
    test: '{cipher}316f8cdbb776c23e679bf209014788a6eab7522f48f97114328c2c9388e6b3c1'

and the key (in bootstrap.yml):

encrypt:
  key: ${ENCRYPT_KEY:} # deadbeef

Answer 3

You can use Spring CLI to encrypt the secrets spring encrypt password --key 'SECRET_KEY'

https://cloud.spring.io/spring-cloud-cli/