2

I have a spring boot application that stores certain passwords which are used by another application(App2) to get connections to databases.

I want to encrypt these passwords such that they can be decoded in App2 if a key is available. What's the best way to go about it?

BCrypt does not serve my purpose as I also need to decode the data

sah1
  • 380
  • 1
  • 6
  • 23

2 Answers2

4

You can use AES Encryption Algorithm , here example on encryption and decryption in java :

private static final String ALGO = "AES";
private static final byte[] keyValue = new byte[] { 'T', 'E', 'S', 'T' };


/**
 * Encrypt a string using AES encryption algorithm.
 *
 * @param pwd the password to be encrypted
 * @return the encrypted string
 */
public static String encrypt(String pwd) {
    String encodedPwd = "";
    try {
        Key key = generateKey();
        Cipher c = Cipher.getInstance(ALGO);
        c.init(Cipher.ENCRYPT_MODE, key);
        byte[] encVal = c.doFinal(pwd.getBytes());
        encodedPwd = Base64.getEncoder().encodeToString(encVal);

    } catch (Exception e) {

        e.printStackTrace();
    }
    return encodedPwd;

}

/**
 * Decrypt a string with AES encryption algorithm.
 *
 * @param encryptedData the data to be decrypted
 * @return the decrypted string
 */
public static String decrypt(String encryptedData) {
    String decodedPWD = "";
    try {
        Key key = generateKey();
        Cipher c = Cipher.getInstance(ALGO);
        c.init(Cipher.DECRYPT_MODE, key);
        byte[] decordedValue = Base64.getDecoder().decode(encryptedData);
        byte[] decValue = c.doFinal(decordedValue);
        decodedPWD = new String(decValue);

    } catch (Exception e) {

    }
    return decodedPWD;
}

/**
 * Generate a new encryption key.
 */
private static Key generateKey() {
    SecretKeySpec key = new SecretKeySpec(keyValue, ALGO);
    return key;
}

let's test the example in main method

public static void main(String[]args) {

    System.out.println(encrypt("password"));
    System.out.println(decrypt(encrypt("password")));

}

the result : 

LGB7fIm4PtaRA0L0URK4RA==
password
yali
  • 1,038
  • 4
  • 15
  • 31
  • Hi The solution looks good but since I am using Spring Boot,I directly made use of TextEncryptor. – sah1 Feb 27 '19 at 14:25
2

Use a TextEncryptor as you are already using Spring. The password and salt that you use when you create one represent your secret:

Encryptors.text("password", "salt");
ewramner
  • 5,810
  • 2
  • 17
  • 33
  • Hi TextEncrypter looks good but would possibly result in me storing the password and salt in properties file.Is there a way to make it more secure? – sah1 Feb 27 '19 at 11:42
  • 1
    Regardless of what super-secure algorithm you decide on you will need to store the secret somewhere. Can't see a way around that. You can store them encrypted but then you need the key to encrypt them and where will you get that? You can store them obfuscated (for example base64) to prevent them from being seen, but that is no real security either. – ewramner Feb 27 '19 at 11:45
  • Hi Thanks for the help! Just one more thing ,while implementing TextEncryptor I get : `Unable to initialize due to invalid secret key` which is caused due to JCE. How do I include JCE in my spring boot application? – sah1 Feb 27 '19 at 12:17
  • Java Version : 8u191,so JCE shouldn't really be a problem causing parameter – sah1 Feb 27 '19 at 13:49
  • It sounds very much like http://forum.spring.io/forum/spring-projects/security/104042-unable-to-initialize-due-to-invalid-secret-key. – ewramner Feb 27 '19 at 14:12
  • Yes, but for 8u161+ by default JCE is included and the crypto.policy is set to unlimited [https://stackoverflow.com/questions/6481627/java-security-illegal-key-size-or-default-parameters] – sah1 Feb 27 '19 at 14:16
  • Just checked my buildpath, the jdk default was set to 151. Switching back to 191 makes the code work. Thanks a ton! – sah1 Feb 27 '19 at 14:19
  • @ewramner In my application admin need to login to user account and admin has the encoded password.So is there a way for admin to bypass this password encoding while login???Please help me.ie,in my app there are two way of logging one by the user which happens normally by the clear text password which uses password encoding in spring boot and the other is by the admin where hashed password is used by admin and which needs to bypass the spring boot password encoding.I am using BCryptEncoder. – KJEjava48 Feb 02 '21 at 13:19
  • @KJEjava48 that is a separate question. In short you can do anything you want in your own application. I don't see why the admin should have to enter the hash; just implement a feature where the admin logs in as himself and then is allowed to impersonate a user. Using the hash is just a roundabout way to do that and is insecure as anyone with access to the data can then login as someone else using the hash. – ewramner Feb 03 '21 at 06:56