Learnitweb

Spring Boot password encryption for application properties file using Jasypt

by

Editorial Team
in

1. Introduction

In this tutorial, we’ll learn how to encrypt sensitive information in Spring Boot application configuration file (application.properties or application.yml), such as username and password of datasource using Jasypt library.

When you create a Spring Boot application, you keep properties in configuration files (application.properties or application.yaml). You should not keep sensitive configuration values in application.properties as plain String. For example, you should not keep username, password, SMTP server details etc. as plain string.

This is considered as an application vulnerability. To solve this vulnerability, it is recommended to encrypt sensitive information in your configuration file.

2. Introduction to Java Simplified Encryption (Jasypt)

Jasypt is a Java library which allows adding basic encryption capabilities to a project with minimum effort and without the need of having deep knowledge of how cryptography works.

Following are some features of Jasypt:

  • Jasypt provides high-security, standard-based encryption techniques, for both unidirectional and bidirectional encryption.
  • Jasypt can be easily integrated with Hibernate and Spring.
  • Jasypt provides capability for encrypting configuration of applications.
  • Jasypt is thread safe.
  • Jasypt supports encryptor/digester pooling, in order to achieve high performance in multi-processor/multi-core systems.
  • Jasypt provides CLI(Command Line Interface) tools.

3. Adding Jasypt to Spring Boot application

In the pom.xml file, add maven dependency which can be found at following link:

https://mvnrepository.com/artifact/com.github.ulisesbocchio/jasypt-spring-boot-starter

For this tutorial, to demonstrate use of Jasypt add following dependency:

<dependency>
	<groupId>com.github.ulisesbocchio</groupId>
	<artifactId>jasypt-spring-boot-starter</artifactId>
	<version>3.0.5</version>
</dependency>

To simplify the encryption and decryption process, you can also add the maven plugin:

<plugin>
	<groupId>com.github.ulisesbocchio</groupId>
	<artifactId>jasypt-maven-plugin</artifactId>
	<version>3.0.5</version>
</plugin>

4. Secret encryption/decryption key

You need to decide an a secret key which is used for encryption and decryption. You can choose any value as the secret key. For this tutorial, we’ll use learnitweb as the secreat key.

5. Encrypt configuration properties

Suppose there are following properties which you want to encrypt:

spring.datasource.username=root
spring.datasource.password=admin

Enclose the values which you want to encrypt with DEC(). For example:

spring.datasource.username=DEC(root)
spring.datasource.password=DEC(admin)

Now, navigate to the root directory of the application and execute the following:

mvn jasypt:encrypt -Djasypt.encryptor.password=learnitweb

After the command successfully executes, the values will be encrypted. For example:

spring.datasource.username=ENC(Jo4dahsX3GdYCMLxxxZ2cVkKKTf7PLF4aDIJLo00DAKd5cHrcAMUP+SGZx6vShTn)
spring.datasource.password=ENC(qwjWviCJ1ILKGWuroOyXqVV1ZGlrPKWGvBEbsjX0voJSqil4ljE3lmKAnmDUl8CW)

6. Run application with encrypted properties

When you run the application with encrypted properties, the application will not start because the secret key for decryption is not specified.

Specify the secret key as VM argument in your editor:

-Djasypt.encryptor.password=learnitweb

7. Encrypting properties in application.yaml file in Spring Boot

The steps to encrypt properties in a configuration yaml file is similar to that of a properties file.

Suppose you want to encrypt datasource username and password. The application.yaml file should look this this:

spring:
  datasource:
    url: jdbc:mysql://localhost:3306/mydb
    username: username
    password: admin
    driver-class-name: com.mysql.cj.jdbc.Driver

Replace the username and password values with DEC(root) and DEC(admin):

spring:
  datasource:
    url: jdbc:mysql://localhost:3306/mydb
    username: DEC(root)
    password: DEC(admin)
    driver-class-name: com.mysql.cj.jdbc.Driver

Now run the following command in the application root directory:

mvn jasypt:encrypt -Djasypt.encryptor.password=learnitweb -Djasypt.plugin.path="file:src/main/resources/application.yaml"

After the successful execution, you’ll observe that the values are successfully encrypted:

spring:
  datasource:
    url: jdbc:mysql://localhost:3306/mydb
    username: ENC(vWa8mISpnlU3qb8zQutjnl8GTRWmpL5qeDfpOJxYoQ/sRi8EcuWOAgnVYHRslT0l)
    password: ENC(ou/8Z4NR9hlXlzXaL6ha2BCpVZxEErpL+ANTRsHH9J9d3dgpDoOAUATDMabi2TeY)
    driver-class-name: com.mysql.cj.jdbc.Driver

8. Conclusion

In this tutorial, we discussed about the Jasypt and it usage to encrypt the properties. Java Simplified Encryption is a very simple library which allows you to encrypt values with minimum knowledge of encryption. Jasypt is popular and used in many production projects.

Happly learning!