3

I have a spring boot application that uses SSL. In my properties file I defined a value for my keystore password ,the idea is to not expose the password in the clear so I encrypted the password and i'm looking in spring boot how i can decrypt this password value : 

server.port=8443
server.ssl.key-alias=selfsigned_certif
server.ssl.key-password=JDHF7E879E7R79E7D9D7Fkdskjdhdkjsdghjsfdghsgfd
server.ssl.key-store=classpath:ssl-server.jks
server.ssl.key-store-provider=SUN
server.ssl.key-store-type=JKS

In my case I can't use Jasypt because of we should use a specific developped library for encrypt and decrypt the password

Is there a way to implement encryption/ decryption of keystore properties using Spring boot ? Thanks in advance

e2rabi
  • 4,728
  • 9
  • 42
  • 69

2 Answers2

2

If you're looking for spring boot related answer I suggest taking a look at spring-cloud-config project.

This project allows managing configurations externally (in filesystem or in git, for example), and among other things has a support for encrypting property values both via symmetric private secret and via public/private key pair

A "protected" Property, in this case, looks like this:

db.password={cipher}AZXCASDAZXC341234ZXCASDFedr453

Where the AZXCASDAZXC341234ZXCASDFedr453 is actually an encrypted value of some password. In order to encrypt it, you should call the "encrypt" method one time, assuming the spring-cloud-config server is running on port 8888 of your machine.

 $ curl localhost:8888/encrypt -d mysecretdbpassword >>AZXCASDAZXC341234ZXCASDFedr453

Here the value of password "mysecretdbopassword" gets encrypted.

The key has to be specified in configurations of the spring-cloud-config microservice itself.

 encrypt.key=ABC123ABC123ABC123

Another option that this service has is an integration with Hashicorp vault, so it also can be a good candidate for keeping the secrets.

Mark Bramnik
  • 39,963
  • 4
  • 57
  • 97
  • In my case I can't use Jasypt because of we should use a specific developped library for encrypt and decrypt the password – e2rabi Sep 24 '18 at 21:55
  • In this case you can just borrow the idea: create an "encrypted" value offline, and put some prefix to the property so that the decryption that will happen in runtime will know which properties should be decrypted and which shouldn't. You can check the source code of spring-cloud-config and implement it there, or roll your own properties loader. – Mark Bramnik Sep 24 '18 at 22:01
  • I used this library to encrytp and decrypt value in my properties files the problem was with the spring boot keys server.ssl.key-password for example this value i could not get it in code using @Value – e2rabi Sep 24 '18 at 22:04
  • What if I need to decrypt it at server startup using maven ? Can't create bean 'dataSourceScriptDatabaseInitializer'. – iAmLearning Feb 18 '22 at 13:52
1

Update: There is a similar/better answer to a duplicate question here, as pointed out by Adam in his comment.

We did something similar by incorporating the Jasypt tool. It's nicely baked into the Spring eco-system. Basically you encrypt the values with an encryption key (a string) and put the encrypted value in your properties file surrounded by ENC(...). Then you put the encryption key in a specified environment variable on the server where your code is running. You can then map the encrypted values directly into variables with @Value(...).

Another option is not to store the password in your source at all, and instead secure those on the server in environment variables and access them directly at runtime. I think any way you slice it you end up relying on the fact that the server is secure, so it's important that you are confident that your server won't be compromised.

Michael W.
  • 121
  • 5
  • In my case I can't use Jasypt because of we should use a specific developped library for encrypt and decrypt the password – e2rabi Sep 24 '18 at 21:54