Open In App

How to encrypt passwords in a Spring Boot project using Jasypt

Improve
Improve
Like Article
Like
Save
Share
Report

In this article, we will learn how to encrypt data in Spring Boot application config files like application.properties or application.yml. Inside those files, we can encrypt username, password, etc.

You often come across developing projects where you have to connect to databases like MongoDB, etc, and store the authentic password of the DB connection in the config file of the spring boot project (application.yml or application.properties). Even passwords or tokens required for Authorization to make other API calls are also stored in the same way. You can actually refrain from adding the actual password in the config file and use jasypt-spring-boot a Java library.

What is Jasypt?

Jasypt (Java Simplified Encryption), provides encryption support for property sources in Spring Boot Applications. It will help you to add basic encryption features to your projects with very fewer effort and without writing any code with the help of a few additions in your project here and there. Springboot is a very powerful framework that will help you add encryption capability without implementing any cryptography method. Jasypt is highly configurable.

Steps To Add Encryption Using Jasypt

  • Step 1: Add Maven dependency of Jasypt
  • Step 2: Add @EnableEncryptableProperties annotation in Spring Boot Application main configuration
  • Step 3: Select the secret key for encryption and decryption
  • Step 4: Generate encrypted key
  • Step 5: Add encrypted key in the config file
  • Step 6: Secret key needs to be decrypted at runtime
  • Step 7: Run the app.

Step 1: Add maven dependency of Jasypt

In the pom.xml file, add maven dependency which can be found easily in maven repository.Maven Dependency

You can use the below dependency for reference:

<dependency>      
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>2.0.0</version>
</dependency>

For Maven plugin dependency you can use below dependency:

<plugins>
<plugin>
<groupId>github.ulisesbocchio</groupId>
<artifactId>jasypt-maven-plugin</artifactId>
</plugin>
</plugins>

Step 2: Add annotation in the Spring Boot Application main Configuration class

@EnableEncryptableProperties annotation needs to be added to make the application understand the encryptable properties across the entire Spring Environment.

@EnableEncryptableProperties
public class MyProject{
//write the code here
}

Step 3: Select secret key for encryption and decryption

The secret key is used to encrypt the password and later can be used to decrypt the encrypted value to get the actual password. You can choose any value as the secret key.

Step 4: Generate Encrypted Key 

The encrypted key can be generated through either of the following 2 methods:

Use the Jasypt Online Tool : This link can be used to generate an encrypted key by passing the chosen secret key.Generate an encrypted key using  Jasypt Online Tool You can actually use the tool to encrypt and check the encrypted key by decrypting it.

  • The password to encrypt: abcd1234
  • Select type of encryption: Two-way encryption (PBEWithMD5AndDES by default is used)
  • Secret Key: hello (It can be any value)
  • Encrypted String: kNuS1WAezYE7cph7zXVTiPSQSdHTx7Kv

Use the jasypt Jar: Download the jasypt jar file from the maven repository and run it through the following command:

java -cp //jasypt-1.9.3/lib/jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input=”xyz123″ 
password=secretkey algorithm=PBEWithMD5AndDES

Jasypt JAR file downloadFollowing is the significance of command-line parameters passed to run the jar:

  • input: abcd1234 (Actual password to be encrypted)
  • password: hello (the secret key chosen by you)
  • algorithm: PBEWithMD5AndDES (default algorithm used)
  • OUTPUT: scEjemHosjc/hjA8saT7Y6uC65bs0swg (Encrypted value of input)

Note: Though the encrypted value i.e. Encrypted String & OUTPUT in 3.1 and 3.2 respectively are different, as the secret key is the same, the decryption will result in the same value (abcd1234) in both the cases.

Step 5: Add encrypted key in config file (application.yml or application.properties)

Now instead of adding the actual password i.e. “abcd1234” as per the above e.g., you need to add the encrypted value generated by either of the above methods. But how will the jasypt dependency understand that the particular property of the config file needs to be decrypted? Hence to make Jasypt aware of your encrypted values, it uses a convention which you need to add in the following format:

Note: ENC(encrypted key): ENC(scEjemHosjc/hjA8saT7Y6uC65bs0swg)

In the above image, the encryption of the database password is done. You can use it in any scenario where you have to hide the actual password.

Step 6: Secret key need to be decrypt at runtime

Make the Jasypt aware of the secret key which you have used to form the encrypted value. Hence following are the different methods to pass the secret key: 

Pass it as a property in the config file. Run the project as usual and the decryption would happen.

Step 7: Run the application

Now run the application using the following commands:

$ mvn-Djasypt.encryptor.password=secretkey spring-boot:run

Export Jasypt Encryptor Password:

JASYPT_ENCRYPTOR_PASSWORD=hello

Last Updated : 04 Jan, 2024
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads