It’s bad practice to keep passwords in application.properties for spring boot applications. At least, you should try something to make it less obvious. Jasypt is a handy tool to achieve this. It’s not bullet proof but it can hide obvious passwords, and others will take some effort to decrypt them.
- include maven dependencies for jasypt-spring-boot-start
com.github.ulisesbocchio
jasypt-spring-boot-starter
3.0.5
-
annotate your application @EnableEncryptableProperties
-
in application.properties, use encrypted passwords using ENC(…)
secret.property=ENC(nrmZtkF7T0kjG/VodDvBw93Ct8EgjCA+)
- encrypt/decrypt in code
@Override
public String encrypt(String secret, String text) {
PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
SimpleStringPBEConfig config = new SimpleStringPBEConfig();
config.setPassword(secret);
config.setAlgorithm("PBEWithMD5AndDES");
config.setKeyObtentionIterations("1000");
config.setPoolSize("1");
config.setProviderName("SunJCE");
config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator");
config.setIvGeneratorClassName("org.jasypt.iv.RandomIvGenerator");
config.setStringOutputType("base64");
encryptor.setConfig(config);
return encryptor.encrypt(text);
}
@Override
public String decrypt(String secret, String cipher) {
PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
SimpleStringPBEConfig config = new SimpleStringPBEConfig();
config.setPassword(secret);
config.setAlgorithm("PBEWithMD5AndDES");
config.setKeyObtentionIterations("1000");
config.setPoolSize("1");
config.setProviderName("SunJCE");
config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator");
config.setIvGeneratorClassName("org.jasypt.iv.RandomIvGenerator");
config.setStringOutputType("base64");
encryptor.setConfig(config);
return encryptor.decrypt(cipher);
}
- configure default encryptor
jasypt.encryptor.password=hello
jasypt.encryptor.algorithm=PBEWithMD5AndDES
#jasypt.encryptor.key-obtention-iterations=1000
#jasypt.encryptor.pool-size=1
#jasypt.encryptor.provider-name=SunJCE
#jasypt.encryptor.salt-generator-classname=org.jasypt.salt.RandomSaltGenerator
#jasypt.encryptor.iv-generator-classname=org.jasypt.iv.RandomIvGenerator
#jasypt.encryptor.string-output-type=base64
- produce encrypted keys in step 3 Using password="abc123", encrypt a message "hellojasypt", and then decrypt it to validate.
java -cp C:\Users\wofon\.m2\repository\org\jasypt\jasypt\1.9.3\jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="hellojasypt" password="abc123" algorithm=PBEWithMD5AndDES
java -cp C:\Users\wofon\.m2\repository\org\jasypt\jasypt\1.9.3\jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringDecryptionCLI input="QIMBpiPCmCiqrg8E2w+VGTHunWWu6gO2" password="abc123" algorithm=PBEWithMD5AndDES
Reference:
https://github.com/ulisesbocchio/jasypt-spring-boot
https://www.geeksforgeeks.org/how-to-encrypt-passwords-in-a-spring-boot-project-using-jasypt/
https://infobrisk.com/tech-insights/how-to-use-jasypt-in-spring-boot-application/
One thought on “Encrypt Password In Properties For Spring Boot”