Chapter 4. How to use encrypted property placeholders in Spring Boot

When securing a container it is not recommended to use the plain text passwords in configuration files. One way to avoid using plain text passwords is to use encrypted property placeholders whenever possible.

4.1. About the master password for encrypting values

To use Jasypt to encrypt a value, a master password is required. It is up to you or an administrator to choose the master password. Jasypt provides several ways to set the master password. Jasypt can be integrated into the Spring configuration framework so that property values are decrypted as the configuration file is loaded. One way is to specify the master password in plain text in a Spring boot configuration.

Spring uses the PropertyPlaceholder framework to replace tokens with values from a properties file, and Jasypt’s approach replaces the PropertyPlaceholderConfigurer class with one that recognizes encrypted strings and decrypts them.

Example

<bean id="propertyPlaceholderConfigurer"
      class="org.jasypt.spring.properties.EncryptablePropertyPlaceholderConfigurer">
  <constructor-arg ref="configurationEncryptor" />
  <property name="location" value="/WEB-INF/application.properties" />
</bean>

<bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
  <property name="config" ref="environmentVariablesConfiguration" />
</bean>

<bean id="environmentVariablesConfiguration"
      class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
  <property name="algorithm" value="PBEWithMD5AndDES" />
  <property name="password" value="myPassword" />
</bean>

Instead of specifying the master password in plain text, you can use an environment variable to set your master password. In the Spring Boot configuration file, specify this environment variable as the value of the passwordEnvName property. For example, if you set the MASTER_PW environment variable to your master password, then you would have this entry in your Spring Boot configuration file: 

<property name="passwordEnvName" value="MASTER_PW">

4.2. Using Encrypted Property Placeholders in Spring Boot

By using Jasypt, you can provide encryption for the property sources and the application can decrypt the encrypted properties and retrieve the original values. Following procedure explains how to encrypt and decrypt the property sources in Spring Boot.

Procedure

  1. Add jasypt dependency to your project’s pom.xml file. 

    <dependency>
    <groupId>com.github.ulisesbocchio</groupId>
    <artifactId>jasypt-spring-boot-starter</artifactId>
    <version>3.0.3</version>
</dependency>

  2. Add Maven repository to your project’s pom.xml. 

    <repository>
<id>jasypt-basic</id>
<name>Jasypt Repository</name>
<url>https://repo1.maven.org/maven2/</url>
</repository>

  3. Add the Jasypt Maven plugin to your project as well as it allows you to use the Maven commands for encryption and decryption. 

    <plugin>
   <groupId>com.github.ulisesbocchio</groupId>
   <artifactId>jasypt-maven-plugin</artifactId>
   <version>3.0.3</version>
 </plugin>

  4. Add the plugin repository to pom.xml. 

    <pluginRepository>
   <id>jasypt-basic</id>
   <name>Jasypt Repository</name>
   <url>https://repo1.maven.org/maven2/</url>
</pluginRepository>

  5. To encrypt the username and password listed in the application.properties file, wrap these values inside DEC() as shown below. 

    spring.datasource.username=DEC(root)
spring.datasource.password=DEC(Password@1)

  6. Run the following command to encrypt the username and password. 

    mvn jasypt:encrypt -Djasypt.encryptor.password=mypassword

    This replaces the DEC() placeholders in the application.properties file with the encrypted value, for example, 

    spring.datasource.username=ENC(3UtB1NhSZdVXN9xQBwkT0Gn+UxR832XP+tOOfFTlNL57FiMM7BWPRTeychVtLLhB)
spring.datasource.password=ENC(4ErqElyCHjjFnqPOCZNAaTdRC7u7yJSy16UsHtVkwPIr+3zLyabNmQwwpFo7F7LU)

  7. To decrypt the credentials in the Spring application configuration file, run following command. 

    mvn jasypt:decrypt -Djasypt.encryptor.password=mypassword

    This prints out the content of the application.properties file as it was before the encryption. However, this does not update the configuration file.