Important Prerequisites: To use the encryption and decryption functions, you need to install a comprehensive JCE in the JVM (default absence). You can and follow the installation instructions (actually replaces the JRE lib / security directory of the two policy files that you downloaded) from the Oracle download "Java Cryptography Extension (JCE) Unlimited Strength manage policy files".
If the remote source comprises encrypted content attribute ({cipher} value in the beginning), before being sent to the client via HTTP, they will be decrypted. The main advantage of this arrangement is that, when they are "stationary", the attribute value is not plain text (e.g., warehouse in git). If the value can not be decrypted, remove the source from the property value and add additional attributes with the same key, but "invalid" as a prefix. And "N" value (generally "<n / a>"). This is mainly to prevent the password from being used as a password and accidental spills.
If you want to set up a remote configuration repository config to the client application may contain a application.yml, such as:
application.yml
spring:
datasource:
username: dbuser
password: '{cipher}FKSAJDFGYOS8F7GLHAKERGFHLSAJ'
Encrypted value properties file could not enclosed in quotation marks, it will not decrypt the value:
spring.datasource.username: dbuser
spring.datasource.password: {cipher}FKSAJDFGYOS8F7GLHAKERGFHLSAJ
You can safely plain text pushed to this shared git repository, and a secret password.
The server also exposes / encrypt and / decrypt endpoint (assuming that these endpoints will be protected, and can only be accessed by authorized agent). If you are editing remote configuration file, you can use Config Server via POST to / encrypt endpoint encryption value, for example,
$ curl localhost:8888/encrypt -d mysecret
682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda
Reverse operation can also be /decryptobtained (if the server is configured with a symmetric key or key pair full):
Note that if the value has to be encrypted characters need to be URL-encoded, you should use --data-urlencodethe options curlto make sure they are correctly coded.
$ curl localhost:8888/decrypt -d 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda
mysecret
If you use the tips curl test, use --data-urlencode (instead of -d) or set an explicit Content-Type: text / plain, to ensure proper data is encoded in the special character ( '+' particularly tricky).
Add the encrypted values to {cipher} prefix, then placed YAML or property file, and then submitted to the storage area and pushed to the remote potentially unsafe.
/ Encrypt and / decrypt endpoints have accepted / * / {name} / {profiles} form a path, when the client calls to the host environment resources, each application can be used (name) and a password control profile.
Note that in this subtle way to control password, you must also provide a TextEncryptorLocator type of @Bean, can create different encryptor for each name and profile. Provided by default would not do (all using the same encryption key).
command-line client spring (extension installed Spring Cloud CLI) may also be used for encryption and decryption, e.g.
$ spring encrypt mysecret --key foo 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda $ spring decrypt --key foo 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda mysecret
To use the key (e.g., for RSA public key encryption) in the file, using the "!" Type key, and provides a file path, e.g.
$ spring encrypt mysecret --key @${HOME}/.ssh/id_rsa.pub
AQAjPgt3eFZQXwt8tsHAVv/QHiY5sI2dRcR+...
The key parameter is mandatory (although there is a --prefix). Social e-commerce platform source code, please add penguin beg: three four five three six II qi II fifty-nine