Last Updated on 07 November 2020   |   Print Email
In this tutorial, I will guide you how to encrypt sensitive information in Spring Boot application configuration file (application.properties or application.yml), such as username and password of a datasource, credentials of SMTP server, etc… using Jasypt library – in order to improve security of Java applications based on Spring framework.To follow this tutorial, you must have a Maven installation on your computer (outside any IDEs).
1. What is Jasypt?
Jasypt stands for Java Simplified Encryption – a high-security and high-performance encryption library that allows developers to add basic encryption capabilities to their projects with minimal effort, without the need of having deep knowledge on how cryptography works.Jasypt provides standard-based encryption techniques which can be used for encrypting passwords, texts, numbers, binaries… and it can integrate seamlessly and transparently with enterprise frameworks like Spring and Hibernate. Jasypt is easy to use yet highly configurable.For more information, you can visit Jasypt homepage.
2. Declare dependencies for Jasypt Spring Boot and Jasypt Maven plugin
In order to use Jasypt library for a Spring Boot application, you need to declare the following dependency in the project’s pom.xml file:
This will add some JAR files to the project’s classpath, which help Jasypt to decrypt the encrypted values in the application configuration file transparently.
Then you also need to declare Jasypt Maven plugin as follows:
This will run Jasypt Maven plugin to encrypt the string n@mHm2020 using the default encryption configuration with the private key cafe21. In the output, you would see it prints something like this:
Here, the encrypted value is wrapped inside ENC(), then you can use replace a password in the configuration file by this value.If you run the above command again, you will see a different encrypted value because the default encryptor uses a random generator. That means a string can be different encrypted value though the private key is the same.The default encrypt algorithm is bidirectional, which means you can do decryption. Type the following command:
This will decrypt the specified value using the default encryption configuration with the private key cafe21. Then you would see it prints the original value n@mHm2020.So these encrypt and decrypt commands are the very basic ones you should be familiar with.
4. Encrypt credentials in application.properties file
Suppose that you want to encrypt username and password of a Spring data source in the following application.properties file:
Voila! Very easy and convenient, right? No manual copy and paste. Just put the values you want to encrypt inside DEC() and run the mvn jasypt:encrypt command.
5. Run a Spring Boot application with Jasypt
Now, to run the Spring Boot application you need to pass the private key password as VM arguments in the command prompt like this:
To run the Spring Boot application in Eclipse or Spring Tool Suite IDE, you need to edit the run configuration by passing a VM argument like this:Start the application, and it will run smoothly as Jasypt decrypts the encrypted credentials transparently.
6. Decrypt credentials in Spring application configuration file
In case you want to see the original values of encrypted ones in the Spring Boot configuration file, type the following Maven command:
Jasypt will print content of the application.properties file in the output, as it was before encryption. So this command would be useful for checking and verification purpose. Note that it doesn’t update the configuration file.
7. Encrypt credentials in application.yml file
By default, Jasypt will update the application.properties file. In case you’re using application.yml in your project, specify the path of the file in the command like this:
Then Jasypt Maven plugin will replace the values encrypted with the old password cafe21 with the new ones encrypted with the new password 10duke – and you get the configuration file updated instantly. Very convenient.
9. Configure encryptor in Spring configuration class
Jasypt is easy to use, as you’ve seen with the commands above. And it is also highly configurable if you have some knowledge in cryptography and you want to customize settings for the encryptor. For example, create a new Spring configuration class in the project as follows:
package net.codejava.security;
import org.jasypt.encryption.StringEncryptor;
import org.jasypt.encryption.pbe.PooledPBEStringEncryptor;
import org.jasypt.encryption.pbe.config.SimpleStringPBEConfig;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class JasyptAdvancedConfig {
@Bean(name = "jasyptStringEncryptor")
public StringEncryptor getPasswordEncryptor() {
PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
SimpleStringPBEConfig config = new SimpleStringPBEConfig();
config.setPassword("password"); // encryptor's private key
config.setAlgorithm("PBEWithMD5AndDES");
config.setKeyObtentionIterations("1000");
config.setPoolSize("1");
config.setProviderName("SunJCE");
config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator");
config.setStringOutputType("base64");
encryptor.setConfig(config);
return encryptor;
}
}
This code will override the default encryption configuration, so you need to write some code to encrypt a password like this:
That’s the tutorial about encrypting passwords in Spring Boot configuration file using Jasypt library. To see the coding in action, I recommend you to watch the following video:
Nam Ha Minh is certified Java programmer (SCJP and SCWCD). He began programming with Java back in the days of Java 1.4 and has been passionate about it ever since. You can connect with him on Facebook and watch his Java videos on YouTube.
Comments
Failed to bind properties under 'server.ssl.key-store-password' to java.lang.String:
Any suggestions?