3

I am trying to understand whether it is possible to use Google cloud KMS to encrypt and decrypt sensitive properties in yml file? So on application start up it will decrypt the values and uses in application. For e.g., database username and password which is having read and write access.

We don't have spring cloud config server.

akreddy.21
  • 626
  • 3
  • 8
  • 21
  • Possible related to https://stackoverflow.com/questions/57984457/cant-decrypt-property-from-spring-cloud-config-or-environment-variable – sethvargo Oct 16 '19 at 14:41
  • @sethvargo attached link involves spring cloud config server, In my case it's just simple application.yml file in application class path. – akreddy.21 Oct 17 '19 at 04:17
  • Ah sorry. This was tagged "spring-boot", so I assumed. The easiest thing would be to encrypt the values using gcloud, put the encrypted values in the yaml file, then, at boot, have your application decrypt the values in-memory by calling the KMS API. – sethvargo Oct 17 '19 at 15:32
  • Yes, provided that your application is not dependent on those values before application startup. Spring Boot has dependencies on some environment variables. Edit your question with more details. – John Hanley Oct 20 '19 at 21:50
  • @sethvargo, if I have key in the yml file, I loose all the benefits of KMS like automatic key rotation, primary key version etc.., – akreddy.21 Oct 21 '19 at 06:41
  • You don't put the KMS key in your YAML file, only the encrypted values. – sethvargo Oct 21 '19 at 21:49
  • @sethvargo if key is rotated, encrypted value also will change right? – akreddy.21 Oct 30 '19 at 07:37
  • No, when you rotate a key, you're creating a new version and setting that version as head. The old version still exists and can be used to decrypt data. – sethvargo Oct 30 '19 at 14:07

0 Answers0