Chapter 4. How to use encrypted property placeholders in Spring Boot


When securing a container it is not recommended to use the plain text passwords in configuration files. One way to avoid using plain text passwords is to use encrypted property placeholders whenever possible.

4.1. About the master password for encrypting values

To use Jasypt to encrypt a value, a master password is required. It is up to you or an administrator to choose the master password. Jasypt provides several ways to set the master password. Jasypt can be integrated into the Spring configuration framework so that property values are decrypted as the configuration file is loaded. One way is to specify the master password in plain text in a Spring boot configuration.

Spring uses the PropertyPlaceholder framework to replace tokens with values from a properties file, and Jasypt’s approach replaces the PropertyPlaceholderConfigurer class with one that recognizes encrypted strings and decrypts them.

Example

<bean id="propertyPlaceholderConfigurer"
      class="org.jasypt.spring.properties.EncryptablePropertyPlaceholderConfigurer">
  <constructor-arg ref="configurationEncryptor" />
  <property name="location" value="/WEB-INF/application.properties" />
</bean>

<bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
  <property name="config" ref="environmentVariablesConfiguration" />
</bean>

<bean id="environmentVariablesConfiguration"
      class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
  <property name="algorithm" value="PBEWithMD5AndDES" />
  <property name="password" value="myPassword" />
</bean>

Instead of specifying the master password in plain text, you can use an environment variable to set your master password. In the Spring Boot configuration file, specify this environment variable as the value of the passwordEnvName property. For example, if you set the MASTER_PW environment variable to your master password, then you would have this entry in your Spring Boot configuration file:

<property name="passwordEnvName" value="MASTER_PW">

4.2. Using Encrypted Property Placeholders in Spring Boot

By using Jasypt, you can provide encryption for the property sources and the application can decrypt the encrypted properties and retrieve the original values. Following procedure explains how to encrypt and decrypt the property sources in Spring Boot.

Procedure

  1. Add jasypt dependency to your project’s pom.xml file.

    <dependency>
        <groupId>com.github.ulisesbocchio</groupId>
        <artifactId>jasypt-spring-boot-starter</artifactId>
        <version>3.0.3</version>
    </dependency>
  2. Add Maven repository to your project’s pom.xml.

    <repository>
    <id>jasypt-basic</id>
    <name>Jasypt Repository</name>
    <url>https://repo1.maven.org/maven2/</url>
    </repository>
  3. Add the Jasypt Maven plugin to your project as well as it allows you to use the Maven commands for encryption and decryption.

    <plugin>
       <groupId>com.github.ulisesbocchio</groupId>
       <artifactId>jasypt-maven-plugin</artifactId>
       <version>3.0.3</version>
     </plugin>
  4. Add the plugin repository to pom.xml.

    <pluginRepository>
       <id>jasypt-basic</id>
       <name>Jasypt Repository</name>
       <url>https://repo1.maven.org/maven2/</url>
    </pluginRepository>
  5. To encrypt the username and password listed in the application.properties file, wrap these values inside DEC() as shown below.

    spring.datasource.username=DEC(root)
    spring.datasource.password=DEC(Password@1)
  6. Run the following command to encrypt the username and password.

    mvn jasypt:encrypt -Djasypt.encryptor.password=mypassword

    This replaces the DEC() placeholders in the application.properties file with the encrypted value, for example,

    spring.datasource.username=ENC(3UtB1NhSZdVXN9xQBwkT0Gn+UxR832XP+tOOfFTlNL57FiMM7BWPRTeychVtLLhB)
    spring.datasource.password=ENC(4ErqElyCHjjFnqPOCZNAaTdRC7u7yJSy16UsHtVkwPIr+3zLyabNmQwwpFo7F7LU)
  7. To decrypt the credentials in the Spring application configuration file, run following command.

    mvn jasypt:decrypt -Djasypt.encryptor.password=mypassword

    This prints out the content of the application.properties file as it was before the encryption. However, this does not update the configuration file.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.