[Programming] – Spring Boot: Encrypting Externalized Properties

Details how to integrate jasypt (http://www.jasypt.org/) into a Spring Boot project to provide encryption for externalized properties.

Step-by-step guide for integrating Jasypt into a Spring Boot Project

  1. An example project can be found at GitHub
  2. Include the dependency (check for an updated version):

    compile group: ‘com.github.ulisesbocchio’, name: ‘jasypt-spring-boot-starter’, version: ‘1.16’

  3. The @SpringBootApplication annotation will enable encryptable properties across the entire Spring Environment (This means any system property, environment property, command line argument, application.properties, yaml properties, and any other custom property sources can contain encrypted properties)
  4. Now you just need to include the following in your internal properties file (the one that will be compiled and not easily accessible):
    ** These values will be used to decrypt the encrypted property during runtime, these values are also used initially for encrypting the password using the shell script shown in the next step-by-step below.
    In yaml format:

        algorithm: PBEWithMD5AndDES
        password: secretkey
  5. Now encrypt your password using the steps below and include the encrypted password in an external file structure like the one shown below:

Screen Shot 2017-12-04 at 4.46.32 PM

Step-by-step guide for encrypting a password

  1. Download jasypt-shell-scripts.zip locally to your computer
  2. Open terminal and go to the following location and run the command shown below
    **PARAMETERS: (input: The password you want to encrypt, password: The key to encrypt/decrypt the password, algorithm: the algorithm used to encrypt)

    Screen Shot 2017-12-04 at 4.45.40 PM

  3. Copy the encrypted password shown below OUTPUT and copy it to the externalized properties file using the following format:
  4. Restart the Spring Boot application and confirm everything is running correctly.

Using Docker to isolate and protect the application

  1. Create a dockerfile like the following:
    FROM openjdk:8-jdk-alpine
    VOLUME /tmp
    ADD jasypt-0.0.1-SNAPSHOT.jar app.jar
    ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"]

    – The ADD command copies files from your local machine to the docker image
    – The config/application.properties is where you can place your encrypted password
    – To reduce Tomcat startup time we added a system property pointing to “/dev/urandom” as a source of entropy.

  2. Now you can run the following command to read in the config/application.properties file that contains the encrypted password:
    docker run --rm -p 8080:8080 -v /LOCALHOST/PATH/TO/config/application.properties:/config/application.properties -t jasypt-kotlin-test