In practice, some configuration information of a project needs to be encrypted to reduce the risk of disclosure of sensitive information. For example, with Druid, you can encrypt database passwords based on the public-private key encryption it provides.

But more often, sensitive information such as Redis passwords and MQ passwords also need to be encrypted, which is not so convenient. This article introduces Jasypt, a Java library, and demonstrates how to encrypt configuration file information based on the Spring Boot project.

A simple SpringBoot project

Let’s start by creating a simple Spring Boot project to build a scenario for using encrypted data.

Either through Idea or the official website, first create a Spring Boot project with core dependencies as follows:

<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <! -- For convenience, Lombok dependencies are usually introduced --> <dependency> <groupId>org.projectlombok</groupId> <artifactId> Lombok </artifactId> </dependency>Copy the code

Create a config file class ConfigProperties:

@Data
@Component
public class ConfigProperties {
​
  @Value("${conf.url}")
  private String url;
​
  @Value("${conf.password}")
  private String password;
​
}
Copy the code

Configuration properties from the configuration file are injected into the class for later use.

Create a Controller class to test and verify that it works:

@RestController @RequestMapping("/") public class ConfigController { @Resource private ConfigProperties configProperties; @RequestMapping public void print(){ System.out.println(configProperties.getUrl()); System.out.println(configProperties.getPassword()); }}Copy the code

The application. Properties class is configured as follows:

The conf. Url = 127.0.0.1 conf. Password = admin123Copy the code

At this point, start the project, access the Controller, can print the configuration information, indicating that the program can run normally.

However, the password is displayed in the configuration file in plain text. If others see the configuration file, the password may be leaked.

Jasypt-based encryption

In view of the above situation, we usually encrypt sensitive information to avoid exposing plaintext password information and improve security level.

The basic idea of encryption is as follows: The encrypted content is stored in the configuration file and decrypted when the configuration file is resolved.

But if you have access to the project’s source code, and you know the encryption algorithm and the secret key, you can definitely decrypt it. Encryption here, it’s just an extra layer of security, but it’s not a panacea.

Let’s look at how to encrypt based on Jasypt.

The integration steps

The following is an upgrade based on the above Spring Boot project.

Environment to prepare

Different versions of Jasypt use different methods, here based on version 3.0.4, JDK8, Spring Boot 2.5.5 to demonstrate.

Before using the JRE, check whether the JRE of JDK8 has an open-ended JCE version installed. Otherwise, a decryption failure exception will be thrown during the encryption operation.

Go to the $JAVA_HOME/jre/lib/security directory and check whether the local_policy.jar and us_export_policy. jar packages are contained. If it does not contain through the Oracle’s official website to download, download address: www.oracle.com/java/techno… .

The download file is jce_policy-8.zip

The file contains three files:

README.txt
local_policy.jar
US_export_policy.jar
Copy the code

Check the $JAVA_HOME/jre/lib/security directory to see if the two JAR files exist. If not, copy them and overwrite them.

Introduction of depend on

Integrating Jasypt with Spring Boot is simple, and you can simply introduce the following dependencies:

<dependency> <groupId>com.github.ulisesbocchio</groupId> <artifactId>jasypt-spring-boot-starter</artifactId> The < version > 3.0.4 < / version > < / dependency >Copy the code

At this point, the Jasypt component auto-configuration takes effect, and only the data that needs to be encrypted needs to be processed.

To facilitate password encryption, you can also introduce a plugin in the build element of pom.xml, which will be used later:

<plugin> <groupId>com.github.ulisesbocchio</groupId> <artifactId>jasypt-maven-plugin</artifactId> < version > 3.0.4 < / version > < / plugin >Copy the code

At this point, all the preparatory work has been completed.

Content encryption

There are many ways to encrypt content. Here are two of them.

Method 1: The unit test class generates ciphertext.

Build the following unit test class to encrypt the password using the StringEncryptor instantiated by default:

@SpringBootTest class SpringBootJasyptApplicationTests { @Autowired private StringEncryptor stringEncryptor; @Test void contextLoads() { String qwerty1234 = stringEncryptor.encrypt("admin123"); System.out.println(qwerty1234); }}Copy the code

Of these, “admin123” is what you want to encrypt. The encrypted content can be printed by executing the above procedure. The default values are used for all encrypted content.

Method 2: Use Maven plug-in to generate ciphertext

Jasypt Maven plug-in has been introduced above, which can generate passwords through corresponding commands.

Step 1: Add the encrypted password to the configuration file:

jasypt.encryptor.password=afx11
Copy the code

Add “DEC(“, “)” to the end of the data before the data, and modify as follows:

conf.password=DEC(admin123)
Copy the code

DEC() is added here to tell the plug-in that this part of the content needs to be encrypted. Notice that the keyword here is DEC.

Step 2: Run Maven to encrypt the data

Run the following command in the command:

mvn jasypt:encrypt -Djasypt.encryptor.password=afx11
Copy the code

Conf. Password = conf.password;

Jasypt. The encryptor. Password = afx11 conf. Url = 127.0.0.1 conf.password=ENC(209eBdF3+jsV2f8kDjs4NOCzgBxnVgETlR5q2KfhYo5DW2jqvLknv0TndEkXOXm0)Copy the code

Notice that DEC becomes ENC, and the plaintext password becomes encrypted ciphertext.

To view the plaintext, run the following command:

mvn jasypt:decrypt -Djasypt.encryptor.password=afx11
Copy the code

This command does not change the ciphertext in the configuration file to plaintext, but outputs the plaintext result on the console.

Jasypt. The encryptor. Password = afx11 conf. Url = 127.0.0.1 conf. Password = DEC (admin123)Copy the code

After the above operations, all transformation steps have been completed. You only need to start the system for verification.

Password transfer mode

After completing the above steps, start the system directly, access the corresponding request, and you will find that the original password has been successfully printed.

In the example above we put the encrypted password in the application.properties file, which is not secure, and you can see how to decrypt it if you look at the code. Typically, there’s another way to pass parameters: pass passwords in a startup command.

Such as:

Java jar jasypt - spring - the boot - demo - 0.0.1 - the SNAPSHOT. Jar -- jasypt. The encryptor. Password = passwordCopy the code

In this way, passwords do not have to be stored in code, which increases security to a certain extent. Of course, it can also be passed through environment variables so that even the developer cannot get the production password.

summary

So much for Jasypt use and integration with Spring Boot, and more information is available in the official documentation. If your project still has a lot of passwords in clear text, you really need to consider using a similar framework for encryption.

Example source code address: github.com/secbr/sprin…

Official source address: github.com/ulisesbocch…

About the blogger: Author of the technology book SpringBoot Inside Technology, loves to delve into technology and writes technical articles.

Public account: “program new vision”, the blogger’s public account, welcome to follow ~

Technical exchange: Please contact the weibo user at Zhuan2quan