How to hide the password in the command "java -Djasypt.encryptor.password=somepassword -jar name.jar"

Question

I am using Jasypt encryption and specifying the property value within ENC() in the properties file. The decryption password is sent through the command-line argument like this java -Djasypt.encryptor.password=somepassword -jar name.jar. Everything is working fine but the problem is when I search for the running process, it shows the password as well. Is there a way to hide the encryption password as well by read it from somewhere?

I thought of using the environment variables but that could also expose the password as well. So, decided against it.

Update: There was a solution in another SO post Spring Boot How to hide passwords in Properties file?

The solution what I followed was to create an environment variable with the name JASYPT_ENCRYPTOR_PASSWORD, execute the command java -jar name.jar and then unset the environment variable. This worked as I intended.

`echo password | java ....` and then read it instead of getting the property. — Thorbjørn Ravn Andersen, Jul 23 '19 at 17:01
Remember to clear it after use from the JVM or a heap dump can reveal it — Thorbjørn Ravn Andersen, Jul 23 '19 at 17:02

score 2 · Accepted Answer · answered Jul 24 '19 at 19:30

The solution what I followed was to create an environment variable with the name JASYPT_ENCRYPTOR_PASSWORD, execute the command java -jar name.jar and then unset the environment variable. This worked as I intended.

Setting an environment variable, for a short time or not doesn't matter, isn't a good idea. Even the shortest of time can be enough that an attacker can get access to it. There are similar attacks where the name of a temporary file could be predicted and allowed an attacker to create a link with that name to e.g. access the /etc/passwd-file, etc.

The problem exists for a while so there are a couple of solutions out there already, most of which work with a file that contains the password or a key store that is used to do encryption and decryption of sensible data.

If you look e.g. at JBoss they use something called a vault. There is a manual page explaining the single steps. You can recreate all of this for your application or just read the plain text password from a file where you specify the filename e.g. as system property. The file itself must be secured against unauthorized access on the file system level (set the read permission for the owner only) and - if necessary - within your application by setting a SecurityManager that denies access to this file by other classes than the one that is used to read it in. This is common practice with security relevant applications like PGP or OpenSSL.

score 0 · Answer 2 · answered Jun 20 '22 at 05:18

Jasypt Is the most common and easy way to encrypt application properties .

As mentioned above You can use an environment variable to store the Password for Jasypt encryption or decryption and pass on the variable while running your application as jar .

But the Purpose of vault is bot more different , You can store and encrypt more than required in vault , vault provides you more control in terms of Encryption . You can update or change values in Run time as well using Vault .

The secrets generated in Vault is bit more dynamic instead of user defined , it completely abstracts the encryption .

Hence it depends on your use case either to use vault or JASYPT . But both are used in Industry widely .

I prefer JASYPT as a developer but as a whole project I use Vault in Prod .

score -2 · Answer 3 · answered Jul 23 '19 at 18:12

You can definitely use Jasypt to read from EncryptableProperties stored in a properties file using something like this:

datasource.username=reportsUser 
datasource.password=ENC(G6N718UuyPE5bHyWKyuLQSm02auQPUtm)

And then you can retrieve the properties (both encrypted and not) from your program:

StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();     
encryptor.setPassword("jasypt"); // could be got from web, env variable...    

Properties props = new EncryptableProperties(encryptor);  
props.load(new FileInputStream("/path/to/my/configuration.properties"));

String datasourceUsername = props.getProperty("datasource.username");

String datasourcePassword = props.getProperty("datasource.password");

Note that in the example above, both the unencrypted and encrypted properties are retrieved the same way, while Jasypt handles the decryption/encryption automatically.

Here's a link to the relevant Jasypt documentation: http://www.jasypt.org/encrypting-configuration.html

And here's a similar question in SO with more details:

https://stackoverflow.com/a/10307724/236528

The question is about encrypting Jasypt password itself. – deepankardixit90 Mar 19 '22 at 19:08 — deepankardixit90, Mar 19 '22 at 19:08

How to hide the password in the command "java -Djasypt.encryptor.password=somepassword -jar name.jar"

3 Answers3

Linked