Database passwords are written in plain text in the configuration, which is a great security challenge. Once the password is leaked, it will bring great security risks. Especially in some enterprises, security requirements are very high, so we consider how to encrypt passwords. This paper focuses on Jasypt encryption of SpringBoot configuration files.
V is introduced into the maven
<dependency> <groupId>com.github.ulisesbocchio</groupId> <artifactId>jasypt-spring-boot-starter</artifactId> The < version > 3.0.3 < / version > < / dependency >Copy the code
V generates an encrypted string
Encrypt the user name and password for connecting to the database
public static void main(String[] args) { BasicTextEncryptor textEncryptor = new BasicTextEncryptor(); / / encryption required salt (salt) textEncryptor. SetPassword (XJ "Bt % ^ n1j8mz"); // Data to be encrypted (database username or password) String username = textencryptor. encrypt("toutou"); // Data to be encrypted (database username or password) String username = textencryptor. encrypt("toutou"); String password = textEncryptor.encrypt("demo123456"); System.out.println("username:"+username); System.out.println("password:"+password); }Copy the code
The following output is displayed:
Copy the generated result of user name and password encryption for later use.
V configuration properties
Configure ENC(encrypted string) for the generated encryption string to application.properties
Spring.datasource. Driver-class-name =com.mysql.jdbc.Driver Spring. The datasource. Url = JDBC: mysql: / / 127.0.0.1:3306 / mytest? useSSL=false&useUnicode=true&characterEncoding=utf-8&zeroDateTimeBehavior=convertToNull&serverTimezone=GMT%2b8 # Encryption required salt (salt) # jasypt. The encryptor. Password = Bt % XJ ^ n1j8mz PBEWithMD5AndDES # default encryption mode, you can change the PBEWithMD5AndTripleDES #jasypt.encryptor.algorithm=PBEWithMD5AndDES spring.datasource.username=ENC(d/qt1SXvttpkiugIzTYkxg==) spring.datasource.password=ENC(rhT6VNpoRUkQYYOHAQ58V4/+fkj9CWfT) spring.datasource.max-idle=10 spring.datasource.max-wait=10000 spring.datasource.min-idle=5 spring.datasource.initial-size=5Copy the code
V Dynamic salt value
The decryption key is also in the configuration file. After someone gets the deployment code on your server, it is not very easy to unlock the password.
To prevent salt from leaking, reverse solve the password. Delete the application. The properties of the jasypt. The encryptor. The password can add parameters to the local operation. The diagram below:
Or use the command to pass in the salt value at project deployment time.
Packed hidden jasypt. The encryptor. Password, you need to pack the maven command add parameters the clean package – Djasypt. The encryptor. Password = Bt % XJ ^ n1j8mz. Packing without parameters will cause an error. The diagram below:
Then add parameters when deployed Djasypt. The encryptor. Password.
Deployment time full command: Java – jar – Djasypt. The encryptor. Password = Bt % XJ ^ n1j8mz hello – 0.0.1 – the SNAPSHOT. The jar
V Blog Summary
Data encryption, a time-old technology, converts plain text into ciphertext using encryption algorithms and encryption keys, while decryption converts ciphertext into plain text using decryption algorithms and encryption keys. At its heart is cryptography. Data encryption is still one of the most reliable ways for computer systems to protect information. It uses cryptographic technology to encrypt information and realize information concealment so as to protect the security of information.
Safety is more important than mount Tai.
V Source code address
Github.com/toutouge/ja…
Other references:
Github.com/ulisesbocch…
About the author: Focus on basic platform project development. If you have any questions or suggestions, please feel free to comment! Copyright notice: The copyright of this article belongs to the author and the blog garden, welcome to reprint, but without the consent of the author must retain this statement, and give the original text link in a prominent place on the page of the article. For the record: all comments and messages will be answered as soon as possible. You are welcome to correct your mistakes and make progress together. Or direct private message I support the blogger: if you think the article is helpful to you, you can click on the lower right corner of the article [recommendation]. Your encouragement is the author to adhere to the original and continuous writing of the biggest power! \