4

Jasypt (https://github.com/jasypt/jasypt) and the according Spring Boot integration (https://github.com/ulisesbocchio/jasypt-spring-boot) do not really seem to be alive any longer.

  • issues with the latest LTS Java version (17)
  • no activity in the most recent history

What are current good practices for encrypting properties in Spring Boot applications using open source libraries? Simple solutions preferred.

jens
  • 1,763
  • 1
  • 15
  • 25
  • 3
    Because the encryption is a two-way encryption this is inherently unsafe (more or less). So instead of storing encrypted values in a properties file, more and more people/orgs start to use vaults (like the HashiCorp vault for instance) to store secrets. Or provide them on runtime as environment/container variables. – M. Deinum May 11 '22 at 09:22
  • 2
    check [Spring Cloud Config Server - Encryption and Decryption](https://cloud.spring.io/spring-cloud-config/multi/multi__spring_cloud_config_server.html#_encryption_and_decryption) – Alex May 17 '22 at 06:00
  • Not sure what you mean by Java 17 issues - if you mean java modules I think the whole spring project is not compatible. The fact they don't need to make changes is not bad ... whats the problem with Jasypt really? I'm not familiar with Spring Cloud. You make it sound like its a Spring Boot replacement but that does not seem to be the case right? – schwaller Mar 03 '23 at 08:28

1 Answers1

4

Spring Cloud has builtin support for decrypting properties. Any property that starts with {cipher}... will automatically be decrypted at runtime. Similar to jasypt, a 'master' encryption key is used. Configuring this key can be done by specifying encrypt.key in bootstrap.yaml or by specifying the ENCRYPT_KEY environment variable. Default uses symmetric encryption, but it's also possible to use asymmetric keys.

spring:
  datasource:
    password: {cipher}xxxxx

The Spring CLI also has support for encrypting values:

spring encrypt --key MySeCrEtMaStErKeY 'secretAPIkey'

Then start your app by specifying the master encryption key in bootstrap.yaml or using an environment variable:

ENCRYPT_KEY=MySeCrEtMaStErKeY java -jar myapp.jar

See https://docs.spring.io/spring-cloud-commons/docs/current/reference/html/#encryption-and-decryption

For more sophisticated setups, I highly recommend using Hashicorp Vault. It's open source and free to use.

blagerweij
  • 3,154
  • 1
  • 15
  • 20
  • I dont understand how is it secure to encrypt all passwords in your application.properties file but provide encryption key for these password in that very same file as well (or in bootstrap.properties file)? All someone needs is to open that file, take encryption key and use it to decrypt the passwords. Mind explaining, I feel I am missing something. Thanks and much appreciated – pixel Feb 08 '23 at 00:03
  • 1
    The master encryption key should not be provided in the same file, usually you provide that via environment variables, or by passing the master encryption key in 'bootstrap.yaml', whereas all normal properties are stored in 'application.yaml'. To be honest, I think nowadays people should use AWS KMS or Hashicorp Vault, instead of relying on a single master key. – blagerweij Feb 08 '23 at 15:51