How to encrypt passwords in a Spring Boot project using Jasypt
You often come across developing projects where you have to connect to databases like MongoDB, etc and store the authentic password of DB connection in the config file of spring boot project (application.yml or application.properties). Even passwords or tokens required for Authorization to make other API call are also stored in the same way.
You can actually refrain from adding the actual password in the config file and use ‘jasypt-spring-boot‘, a java library.
What is Jasypt?
Jasypt (Java Simplified Encryption), provides encryption support for property sources in Spring Boot Applications. It will help you to add basic encryption features to your projects with very fewer efforts and without writing any code with the help of a few additions in your project here and there. Springboot is a very powerful framework that will help you to add encryption capability without implementing any cryptography method. Jasypt is highly configurable.
Steps To Add Encryption Using Jasypt:
- Add maven dependency of jasypt: In the pom.xml file, add maven dependency which can be found easily at maven repository.
- Add annotation in the Spring Boot Application main Configuration class: @EnableEncryptableProperties annotation needs to be added to make the application understand the encryptable properties across the entire Spring Environment.
- Decide a secret key to be used for encryption and decryption The secret key is used to encrypt the password and later can be used to decrypt the encrypted value to get the actual password. You can choose any value as the secret key.
- Generate Encrypted Key The encrypted key can be generated through either of the following 2 methods:
- Use the Jasypt Online Tool :
This link can be used to generate an encrypted key by passing the chosen secret key.
- The password to encrypt: abcd1234
- Select type of encryption: Two-way encryption (PBEWithMD5AndDES by default is used)
- Secret Key: hello (It can be any value)
- Encrypted String: kNuS1WAezYE7cph7zXVTiPSQSdHTx7Kv
You can actually use the tool to encrypt and check the encrypted key by decrypting it.
- Use the jasypt Jar: Download the jasypt jar file from the maven repository and run it through the following command:
java -cp //jasypt-1.9.3/lib/jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input=”xyz123″ password=secretkey algorithm=PBEWithMD5AndDES
Following is the significance of command-line parameters passed to run the jar:
- input: abcd1234 (Actual password to be encrypted)
- password: hello (the secret key chosen by you)
- algorithm: PBEWithMD5AndDES (default algorithm used)
- OUTPUT: scEjemHosjc/hjA8saT7Y6uC65bs0swg (Encrypted value of input)
Note: Though the encrypted value i.e. Encrypted String & OUTPUT in 3.1 and 3.2 respectively are different, as the secret key is the same, the decryption will result in the same value (abcd1234) in both the cases.
- Use the Jasypt Online Tool :
- Add the encrypted key in the config file (application.yml or application.properties): Now instead of adding the actual password ie. “abcd1234” as per the above eg., you need to add the encrypted value generated by either of the above methods. But how will the jasypt dependency understand that the particular property of the config file needs to be decrypted? Hence to make Jasypt aware of your encrypted values, it uses a convention which you need to add in the following format:
ENC(encrypted key): ENC(scEjemHosjc/hjA8saT7Y6uC65bs0swg)
In the above image, the encryption of the database password is done. You can use it in any scenario where you have to hide the actual password.
- Secret key chosen needs to be passed to decrypt at runtime: Make the Jasypt aware of the secret key which you have used to form the encrypted value. Hence following are the different methods to pass the secret key: