How to Use Jasypt or Jce to Encrypt Passwords in Spring Config
Jasypt and JCE are two encryption protocols that we can use in our Spring config to secure passwords. For example, if you wanted to encrypt ...
Jasypt Example
Instruction on how we can use Jasypt in our Spring Boot application security.
1. Create a new Spring project, we will use it to encrypt our password.
2. Include jasypt dependency.
<dependency> <groupId>com.github.ulisesbocchio</groupId> <artifactId>jasypt-spring-boot-starter</artifactId> <version>3.0.3</version> </dependency>
3. Use this code block to encrypt a string.
private static void encryptString() {
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
encryptor.setPassword("password");
encryptor.setAlgorithm("PBEWITHSHA1ANDDESEDE");
encryptor.setIvGenerator(new RandomIvGenerator());
String result = encryptor.encrypt("Hello World!");
System.out.println("encrypted=" + result); // prints differently on each run
result = encryptor.decrypt(result);
System.out.println("decrypted=" + result);
}
4. To use it in Spring security, we must set add these security lines in Spring config's bootstrap.xml file
security: user: name: czetsuya password: ENC(3E31QZ4Ih8kbEYl141+Hd8zG1N/Pt9c60nHkGX9lnG4=)
5. And on the service side Spring application, we need to configure the Spring cloud config location and jasypt encryptor password.
spring:
cloud:
config:
uri: http://localhost:8888
username: czetsuya
password: ENC(T9aWpcoGGXGV6x+D/oiJGWkvJSBjwEmpLaBy7utknQo=)
jasypt:
encryptor:
password: password # or you can replace this with an environment variable ${JASYPT_ENCRYPTOR_PASSWORD}
JCE Example
Instruction on how we can use JCE in our Spring Boot application security.
To make this exercise easier on Windows, I'll be using WSL2 to run Ubuntu and install sdkman.
You must also take note of the latest spring-boot-cli version from https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-cli
Follow this guide https://sdkman.io/install. Check if it succeeded by running the command `sdkman version` in a terminal.
Execute the following commands:
# install spring sdk install springboot # install spring-cloud-cli spring install org.springframework.cloud:spring-cloud-cli:3.0.2 # encrypt your text spring encrypt 'Hello World!' --key 'password' # results in 5f8aaa3be65f159b439008faf1d4efb5eb6c6d3d8ccd9ddfe5028decb5c3b2c1 # should be different on each run # decrypt the text spring decrypt 5f8aaa3be65f159b439008faf1d4efb5eb6c6d3d8ccd9ddfe5028decb5c3b2c1 --key 'password'
As before, we need to set the encrypted password in the Spring cloud config server and client. This time instead of using 'ENC', we will use 'cipher'.
Server
security:
user:
name: czetsuya
password: 'cipher{5f8aaa3be65f159b439008faf1d4efb5eb6c6d3d8ccd9ddfe5028decb5c3b2c1}'
Client
spring:
cloud:
config:
uri: http://localhost:8888
username: czetsuya
password: 'cipher{3079cb49646bf1a11dc15e3563c16cb3fb614aebdb5fe389f75d48d3ac43ae6f}'
encrypt:
key: password # or you can replace this with an environment variable ${ENCRYPT_KEY}
And there you go, folks, stop committing your password in plaintext on public repositories :-)
Post a Comment