no

How to Use Jasypt or Jce to Encrypt Passwords in Spring Config

Jasypt and JCE are two encryption protocols that we can use in our Spring config to secure passwords. For example, if you wanted to encrypt ...

Jasypt and JCE are two encryption protocols that we can use in our Spring config to secure passwords. For example, if you wanted to encrypt the API token of your Github repository. Or encrypting the Spring config server's security.user.password value.

Jasypt Example

Instruction on how we can use Jasypt in our Spring Boot application security.

1. Create a new Spring project, we will use it to encrypt our password.

2. Include jasypt dependency.

<dependency>
  <groupId>com.github.ulisesbocchio</groupId>
  <artifactId>jasypt-spring-boot-starter</artifactId>
  <version>3.0.3</version>
</dependency>

3. Use this code block to encrypt a string.

private static void encryptString() {
	StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
	encryptor.setPassword("password");
	encryptor.setAlgorithm("PBEWITHSHA1ANDDESEDE");
	encryptor.setIvGenerator(new RandomIvGenerator());

	String result = encryptor.encrypt("Hello World!");
	System.out.println("encrypted=" + result); // prints differently on each run

	result = encryptor.decrypt(result);
	System.out.println("decrypted=" + result);
}

4. To use it in Spring security, we must set add these security lines in Spring config's bootstrap.xml file

security:
	user:
		name: czetsuya
		password: ENC(3E31QZ4Ih8kbEYl141+Hd8zG1N/Pt9c60nHkGX9lnG4=)

5. And on the service side Spring application, we need to configure the Spring cloud config location and jasypt encryptor password.

spring:
  cloud:
    config:
      uri: http://localhost:8888
      username: czetsuya
      password: ENC(T9aWpcoGGXGV6x+D/oiJGWkvJSBjwEmpLaBy7utknQo=)

jasypt:
	encryptor:
		password: password # or you can replace this with an environment variable ${JASYPT_ENCRYPTOR_PASSWORD}

JCE Example

Instruction on how we can use JCE in our Spring Boot application security.

To make this exercise easier on Windows, I'll be using WSL2 to run Ubuntu and install sdkman.

You must also take note of the latest spring-boot-cli version from https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-cli

Follow this guide https://sdkman.io/install. Check if it succeeded by running the command `sdkman version` in a terminal.

Execute the following commands:

# install spring
sdk install springboot

# install spring-cloud-cli
spring install org.springframework.cloud:spring-cloud-cli:3.0.2

# encrypt your text
spring encrypt 'Hello World!' --key 'password'
# results in 5f8aaa3be65f159b439008faf1d4efb5eb6c6d3d8ccd9ddfe5028decb5c3b2c1
# should be different on each run

# decrypt the text
spring decrypt 5f8aaa3be65f159b439008faf1d4efb5eb6c6d3d8ccd9ddfe5028decb5c3b2c1 --key 'password'

As before we need to set the encrypted password both in the Spring cloud config server and client. This time instead of using 'ENC', we will use 'cipher'.

Server

security:
	user:
		name: czetsuya
		password: 'cipher{5f8aaa3be65f159b439008faf1d4efb5eb6c6d3d8ccd9ddfe5028decb5c3b2c1}'

Client

spring:
  cloud:
    config:
      uri: http://localhost:8888
      username: czetsuya
      password: 'cipher{3079cb49646bf1a11dc15e3563c16cb3fb614aebdb5fe389f75d48d3ac43ae6f}'

encrypt:
  key: password # or you can replace this with an environment variable ${ENCRYPT_KEY}

And there you go folks, stop committing your password in plaintext on public repositories :-)

Related

spring-config 8215487763573843581

Post a Comment Default Comments

item