Configuration File Encryption Scheme

The configuration file often contains sensitive information, such as account and passwords. In this case, the sensitive information needs to be encrypted to ensure security.

This section describes how to use jasypt-spring-boot-starter to encrypt data. The account names and passwords involved in RBAC authentication are used as examples.

1. Add the dependency corresponding to the encryption component to the POM file.

   <dependency>  
      <groupId>com.github.ulisesbocchio</groupId>  
      <artifactId>jasypt-spring-boot-starter</artifactId>  
      <version>2.1.2</version>
   </dependency>

2. Configure the password.
   • You can directly configure the password in the configuration file (for example, application.properties). However, this method is not recommended because it is insecure.

     jasypt.encryptor.password=******

     Set ****** to the password used for encryption.

   • Set the password in the JVM startup parameter.

     -D jasypt.encryptor.password=******

     Set ****** to the password used for encryption.

3. Implement the encryption method.

   // Set this parameter to the password of the jasypt.encryptor.password configuration item.
     public static String salt = "GXXX6" (user-defined);
   
    // Encryption method.
     public static String demoEncrypt(String value) {
         BasicTextEncryptor textEncryptor = new BasicTextEncryptor();
         textEncryptor.setPassword(salt);
         return textEncryptor.encrypt(value); 
     }
   
    // Test whether the decryption is normal.
     public static String demoDecrypt(String value) {
         BasicTextEncryptor textEncryptor = new BasicTextEncryptor();
         textEncryptor.setPassword(salt);
         return textEncryptor.decrypt(value); 
     }
   
     public static void main(String[] args) {
         String username = demoEncrypt("root");
         System.out.println(username);
         System.out.println(username); 
     }

   The default encryption method of jasypt is used. You can also customize extended encryption and decryption methods. For details, see the official jasypt document.

4. Use the encrypted configuration item.
   You can use either of the following methods:

   • Write the configuration file

     spring:
       cloud:
         servicecomb:
            credentials:
               account:
                  name: ENC (ciphertext of the account name)
                  password: ENC (ciphertext of the password)

     Ciphertexts of the account name and password are obtained in 3.

     NOTE:

     This encryption mode requires the ENC() flag to identify whether encryption is enabled. ENC() is the special mark of the encryption mode. If ENC() does not exist, the plaintext is used.

   • Enter environment variables

     spring_cloud_servicecomb_credentials_account_name = ENC (ciphertext of the account name)
     spring_cloud_servicecomb_credentials_account_password = ENC (ciphertext of the password)

     Ciphertexts of the account name and password are obtained in 3.