How to protect sensitive information in SpringBoot configuration files

How to protect sensitive information in SpringBoot configuration files

Friends who have used SpringBoot configuration files know that the content in resource files is usually displayed in plain text, and the security is relatively low.

Open application.propertiesor application.yml, such as MySql login password, Redis login password and third-party key

Waiting for a glance, here is an encryption and decryption component to improve the security of some attribute configurations.

jasypt is a toolkit under springboot written by a foreign master, which is used to encrypt the information in the configuration file.

GitHub Demo address:

https://github.com/jeikerxiao/spring-boot2/tree/master/spring-boot-encrypt

The following uses database user name and database password encryption as an example to introduce.

1. pom dependency

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.5.6</version>
        <relativePath/>
    </parent>

    <groupId>com.jasypt</groupId>
    <artifactId>spring-boot-jasypt</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>spring-boot-jasypt</name>
    <description>如何保护 SpringBoot 配置文件中的敏感信息</description>

    <properties>
        <java.version>1.8</java.version>
    </properties>

    <dependencies>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
            <version>2.4.5</version>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>

        <!-- 加密包 -->
        <dependency>
            <groupId>com.github.ulisesbocchio</groupId>
            <artifactId>jasypt-spring-boot-starter</artifactId>
            <version>2.1.0</version>
        </dependency>

        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>RELEASE</version>
        </dependency>

        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
        </dependency>

    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

Check out the latest version at:

https://github.com/ulisesbocchio/jasypt-spring-boot

2. Configure the password for adding/deciphering

# jasypt加密的密匙
jasypt:
  encryptor:
    password: Y6M9fAJQdU7jNp5MW

3. Generate the encrypted secret key in the test case

package com.jasypt;

import org.jasypt.encryption.StringEncryptor;
import org.junit.Assert;
import org.junit.jupiter.api.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;

@RunWith(SpringRunner.class)
@SpringBootTest
class SpringBootJasyptApplicationTests {
    
    

    @Autowired
    private StringEncryptor encryptor;

    @Test
    public void getPass() {
    
    
        String url = encryptor.encrypt("jdbc:mysql://127.0.0.1:3306/test");
        String name = encryptor.encrypt("root");
        String password = encryptor.encrypt("root");
        System.out.println("database url: " + url);
        System.out.println("database name: " + name);
        System.out.println("database password: " + password);
        Assert.assertTrue(url.length() > 0);
        Assert.assertTrue(name.length() > 0);
        Assert.assertTrue(password.length() > 0);
    }
}

Here is the output encrypted string:

database url: CCGZpukXHOy7xPMVm6//IZi3kQxJQmZuFdrje1KtshlZD0IiwrHTQWcB4J4l1qKe
database name: +DcWhoH0RuZck93R2FSEEg==
database password: gTVoDqbBeaTe2+omIsoXIA==

4. Replace the encrypted string with the original plaintext

server:
  port: 8080
spring:
  # 数据库相关配置
  datasource:
    driver-class-name: com.mysql.cj.jdbc.Driver
    url: CCGZpukXHOy7xPMVm6//IZi3kQxJQmZuFdrje1KtshlZD0IiwrHTQWcB4J4l1qKe
    username: +DcWhoH0RuZck93R2FSEEg==
    password: gTVoDqbBeaTe2+omIsoXIA==
  jpa:
    hibernate:
      ddl-auto: update
    show-sql: true
  # 返回的api接口的配置，全局有效
  jackson:
   # 如果某一个字段为null，就不再返回这个字段
    default-property-inclusion: non_null
    date-format: yyyy-MM-dd HH:mm:ss
    serialization:
      write-dates-as-timestamps: false
    time-zone: GMT+8
# jasypt加密的密匙
jasypt:
  encryptor:
    password: Y6M9fAJQdU7jNp5MW

5. Configure the salt (salt) value during deployment

In order to prevent the salt (salt) from being leaked and reversely decrypt the password, you can use the command to pass in the salt (salt) value when the project is deployed:

$ java -jar xxx.jar -Djasypt.encryptor.password=Y6M9fAJQdU7jNp5MW

Or configure it in the environment variable of the server to further improve security.

open /etc/profilefile

$ vim /etc/profile

Insert the salt (salt) variable at the end of the profile file

$ export JASYPT_PASSWORD = Y6M9fAJQdU7jNp5MW

Compile to make the configuration file take effect

$ source /etc/profile

run

$ java -jar -Djasypt.encryptor.password=${JASYPT_PASSWORD} xxx.jar