I have the following use case :
I have a property file, say test.properties
This property file needs to be encrypted as this has some confidential data.
I have a utility through which i can encrypt the property file.
Is there a way I can use Spring to inject the values from this property file to my class?
The real question is, how are you protecting the key? If someone has access to the key, they can decrypt the properties file.
Even if you keep the key in an HSM, the user that can utilize the HSM can decrypt the properties file, so what's the point?
Create an O/S user to run your application as. Run the application as that user. Only let that user access the properties file. That's the best you can do.
Related
I got a requirement in Spring boot. I a nearly beginner so kindly ignore my mistake.
Main requirement is I have to encrypt all application.properties data so even someone get access, not be able to read. I don't know whether it is possible or not, So let me know that also.
Why want to do this - I Application.properties hold lots of credentials for DB and Data for other service and some how any hackers get's the credentials then he/she will get other data too of DB and API keys. So doing it for security purpose. It is some finance project.
Requirement: I have Encrypted application.properties file present on S3 Bucket and have to download from there and decrypt the file at the starting of project and the project will load the data from that application.properties file.
I broke down the problem in download and Encryption/Decryption:
So I know how to download file in Maven from URL in specific folder. - Done
How to Decrypt application.properties file and use it to load Credential. - Answer Looking for!
I got the ways by using Jasypt Library in Spring boot but that encrypt the value only.
jasypt.encryptor.password=pass
encrypted.property=ENC(S3oSEyuNwaFBrwfoaNhqvauLAui9F+L9)
And in Any Java file I get the value:
#Value("${encrypted.property}")
private String property;
But that is not hiding any data as If i get the Jasypt then i can decrypt data on Online websites also. And it is also not hiding the keys.
So didn't find it working according to my requirement. So kindly help me in this problem.
We have to use ssl certificate for our rest web service which are created through springboot application.
Now, what I came to know that password is necessary in order to use a certificate. So we are changing our available .pem (without password) to .p12 (with password) using openssl. Now we have to provide spring this password.
Problem is the overhead which comes with introducing any new password.
We cannot hard-code this password in our application.properties due to bad design. So we are thinking of finding out the other ways to use password in application. So far I can think of below options. which one is better one and why?
Rather then setting password in application.properties, set it from java code. (I am not sure it will be set as environment variable or system variable)
use environment variable to store the password.
use any text file which stores the password (not preferred again due to bad design)
you can achieve your scenario in the following way.
i am posting sample example.\
In Properties File:
spring.datasource.url=${db.url}
spring.datasource.username=${db.username}
while starting the project,
you can give the following command:
java -jar -Ddb.url=jdbc:postgresql://localhost:5432/postgres -Ddb.username=postgres sample.0.0.1-SNAPSHOT.jar(your jar name)
option 3 seems feasible, but instead of storing it in a plain text file, you can encrypt the file, and put a decryption function in the application when reading the file.
For the provided options, i would go with the option 2, by using environment variables it will be easier to provide and change the password even in containerized environments and clouds.
But you can also consider other options, like using a safe k-v storage like Hashicorp Vault or etcd.
Note that using Vault or etcd, you can also provide and change the certificate dynamically, instead of shipping it with the application.
I can think of 3 ways you can do it
1. You can define password property only in application.properties but pass
the value of the property during application startup.
java -jar -Dmyapp.password=YOUR_PASSWORD myapplication.jar
2. You can put encrypted passwords in application.properties and pass the decryption key during application startup. Jasypt plays very good with spring boot.
java -jar -Dmyapp.decryptKey=YOUR_KEY myapplication.jar
3. You can use spring vault
This is for a Minecraft plugin.
Stormpath requires you to store your apiKeys.properties file in your home directory, I am looking for a way to define the keys in my config file instead. For example:
stormpath:
application_name: APPLICATION_NAME
api_key_id: KEY_ID
api_key_secret: SECRET_KEY
There's a section of my YML config file, I would like to use something like this to authenticate with Stormpath instead of having the file in a hidden directory. Is there any way of doing this within java? I know you are able to set environment variables with the keys in but I'm not sure what the best of doing this would be where I could still let the user enter their keys inside the config file.
Any help would be much appreciated. Thanks.
Yes, you can store the Stormpath API key and secret in a YAML file. The configuration path is stormpath.client.apiKey.[id/secret] according to the documentation.
This means that your stormpath.yaml file should look like this:
---
client:
apiKey:
id: "your_id_here"
secret: "your_id_here"
I have Java app that has remote db credentials in hibernate config file in JAR file. I want to encrypt password that if "simple" user would search for the password in would be not human readable.
I have seen Jasypt examples on the web, but there is Jasypt only for hibernate 4. There is no for hubernate 5.
Can I use Jasypt for hibernate 4 with hibernate 5?
Or maybe there is another solution? I know that placing login and password in JAR file is not safe, but thats the way my app is created.
Thanks in advance.
Place the password(s) in an external .properties file. To use the application in test-setup, you can place a properties file inside your project with fake/test credentials to a local database. For production you can place the secrets on the specific machine that needs to connect to the database.
Never put things you want to keep secret in the jar, source or repository.
Recently I have gone through Jasypt API to secure the property file entries. As per Jasypt, in order to decrypt the entry in the property file that was enclosed with ENC(..), we need to use a secure password, a secret key, as shown below (Not a web application):
encryptor.setPassword("jasypt"); // could be got from web, env variable..
Of course we can configure such password using
org.jasypt.encryption.pbe.config.SimplePBEConfig setPassword()
But my question, if we extract the jar file, 3rd party could be able to find out the secret key. How could we ensure security in such cases?
Thanks in advance,
JK
secret key should be stored in environment variable outside the application.
For example, in your spring configuration file:
<bean id="environmentConfig" class=
"org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig"
p:passwordEnvName="APP_ENCRYPTION_PASSWORD" ...
Now, add APP_ENCRYPTION_PASSWORD in the env variable either in OS or app server.