This article will help you understand what is Jasypt and how to use Jasypt in a Spring Boot application.
What is JASYPT ? Why is it important?
JASYPT stands for Java Simplified Encryption. Jasypt is a Java library which helps you to add encryption capabilities to your projects without much effort and knowledge of cryptography. We secure our applications’ data, connections, requests and responses, etc. using various ways but tend to leave the data or values in configuration files like application.properties as plain as they are. Properties related to an application’s datasource is an example. We specify the datasource URL, username and much confidential password too as plain texts. There comes the importance of Jasypt. It helps to have such confidential data secured without having much code changes.
Following steps are involved in encrypting the database password in a Spring Boot application’s properties file using Jasypt:
- Add the dependency of Jasypt
- Add @EnableEncryptableProperties annotation to the main configuration class
- Generate the encrypted string using a Secret key
- Use the encrypted string in the config file (application.properties or application.yml) instead of plain text password
- Deploy the application by passing the secret key
1. Adding the Jasypt Spring Boot Starter dependency
Add the dependency to your pom.xml file. Check the maven repository for the latest version: maven-jasypt-spring-boot-starter
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>LATEST</version>
</dependency>
2. Add @EnableEncryptableProperties annotation
@SpringBootApplication
@EnableEncryptableProperties
public class JasyptSpringBootApplication extends SpringBootServletInitializer {
public static void main(String[] args) {
SpringApplication.run(JasyptSpringBootApplication.class, args);
}
}
Adding @EnableEncryptableProperties annotation to your main configuration class will enable encryptable properties across the entire Spring Environment. In other words, it helps to make your application understand the encryptable properties.
3. Generate the encrypted string using a Secret key
You need to have a secret key to be used for encryption and decryption. This secret key is used while generating the encrypted string from your password and decrypting the encrypted string to get the actual password. You can choose either of the following 2 methods to generate an encrypted string:
a. By using the Jasypt jar
You can find the Jasypt jar file which was downloaded earlier to your local m2 repository folder by adding the dependency as mentioned in Step-1. To generate the encrypted string by using the jar file, execute the following command:
jasypt-enc$ java -cp ~/.m2/repository/org/jasypt/jasypt/1.9.3/jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="pwd_to_encrypt" password=secretkey algorithm=PBEWithMD5AndDES
JasyptPBEStringEncryptionCLI is the CLI(Command Line Interface) class which performs the encryption by accepting the following arguments:
- input: your plan password string to be encrypted
- password: the secret key to be used
- algorithm: optional. It’s the algorithm to be used for encryption and decryption. PBEWithMD5AndDES is the default algorithm but may change with the Jasypt versions you use. It’s better to pass the algorithm as argument since the same will be mentioned later while decrypting too. We will come to that in the next step.
b. By using the Jasypt distribution package
Download the distribution package from here. The package comes with a bunch of Command Line Interface (CLI) tools, useful for performing operations like encryption, decryption, message digest, etc. from the command line. If you go to the bin folder, you can find the following tools:
- encrypt.bat/encrypt.sh: for PBE (Password Based Encryption) encryption operations.
- decrypt.bat/decrypt.sh: for PBE (Password Based Encryption) decryption operations.
- digest.bat/digest.sh: for message digest operations.
- listAlgorithms.bat/listAlgorithms.sh: for listing the digest and PBE encryption algorithms available in your JVM.
To generate the encrypted string, execute the encrypt script by passing the same arguments as we did for the Jasypt jar file:
./encrypt.sh input="pwd_to_encrypt" password=secretkey algorithm=PBEWithMD5AndDES
Either of the above methods should give you the following output:
Value you get in the OUTPUT section is the generated encrypted string for your password.
4. Using the encrypted string in the application.properties file
Now you can use the encrypted string in the application.properties file. For Jasypt to know that a particular property in your config file is encrypted and is to be decrypted, you need to use the following format:
ENC(<ENCRYPTED_STRING>)
So the property will look like:
spring.datasource.password=ENC(<ENCRYPTED_STRING>)
With ENC() in place, Jasypt will automatically decrypt the encrypted string. To avoid any errors related to the version, you need to have the following properties in your config file:
jasypt.encryptor.algorithm=PBEWithMD5AndDES
jasypt.encryptor.iv-generator-classname=org.jasypt.iv.NoIvGenerator
This is due to the changes in the default algorithm used by Jasypt since version 3.0.0, which is now PBEWITHHMACSHA512ANDAES_256 as mentioned here.
Note: You need at least Java 8 to use PBEWITHHMACSHA512ANDAES_256 instead of PBEWithMD5AndDES and probably get rid of the above 2 additional properties in the config file.
5. Deploy the application by passing the secret key
To perform the decryption operation at runtime, Jasypt needs the secret key you used while generating the encrypted string. You can choose any of the following ways to pass the secret key:
a. Place the secret key in the application.properties itself
This is the easiest way to make Jasypt available with the secret key. Just add the following property in your config file:
jasypt.encryptor.password=secretkey
Now, run the application as usual and the decryption would happen. However, having your plain secret key in the config file can be a breach of security since the goal here is to secure the application and its properties.
b. Run the project by passing the secret key
Using the option -Djasypt.encryptor.password=secretkey with the run command will pass the secret key to the application. The run command will look like:
$mvn -Djasypt.encryptor.password=secretkey spring-boot:run
Here also we pass the plain secret key with the command. In production environments, history of commands can easily be retrieved and your secret key can be open.
c. Use an environment variable for Jasypt Encryptor Password
Export the environment variable for the encryptor:
On Windows:
set JASYPT_ENCRYPTOR_PASSWORD=secretkey
On Unix systems:
export JASYPT_ENCRYPTOR_PASSWORD=secretkey
Now, deploy the application as usual. Using the environment variable is the preferred way to use the secret key for production environments.
To make it more secure, you can use a setenv.sh/bat script with Apache Tomcat to set/export the environment variable for Jasypt Encryptor. Once the tomcat server is started with the setenv script in the bin folder and your application is successfully deployed, you can delete the script and unset the variable so that the secret key is no more visible to anyone. To learn more about setenv.sh/bat script in Apache Tomcat, check my post – How to use setenv script in Apache Tomcat?.
Note: you can encrypt any property of confidential behavior in your config file just like we did for the database password.