Preface
With the security situation getting worse these days, I realized that there is a bug in our project that we often ignore: the security of configuration information in our project's configuration file, especially the security of user names and passwords for database connections.So here we need to encrypt the user name and password of the database, which is the reason of this article.This paper uses Jasypt to encrypt the Spring Boot configuration file. In fact, there are other schemes, which will be explained in the following related articles.
Introducing jasypt
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>2.0.0</version>
</dependency>1. Generate a string to encrypt
1.1 Encrypt the user name and password of the database
@Test
public void contextLoads() {
BasicTextEncryptor textEncryptor = new BasicTextEncryptor();
//Salt required for encryption
textEncryptor.setPassword("1Qaz0oKm");
//Data to be encrypted (database user name or password)
String username = textEncryptor.encrypt("root");
String password = textEncryptor.encrypt("root");
System.out.println("username:"+username);
System.out.println("password:"+password);
}Output Information
username:NZmLHOOHX0SEjc285iG9YQ== password:1JByM5wu5o+9H1Ba2o++Pg== 2019-06-14 14:55:49.863 INFO 8904 --- [ Thread-3] o.s.s.concurrent.ThreadPoolTaskExecutor : Shutting down ExecutorService 'applicationTaskExecutor' 2019-06-14 14:55:49.863 INFO 8904 --- [ Thread-3] j.LocalContainerEntityManagerFactoryBean : Closing JPA EntityManagerFactory for persistence unit 'default' 2019-06-14 14:55:49.863 INFO 8904 --- [ Thread-3] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Shutdown initiated... 2019-06-14 14:55:49.878 INFO 8904 --- [ Thread-3] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Shutdown completed.
1.2. Or encrypt \Maven\org\jasypt\jasypt\2.0.0jasypt-2.0.jar using the jar package that Maven downloaded
java -cp jasypt-1.9.2.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI password=1Qaz0oKm algorithm=PBEWithMD5AndDES input=root
Output Information
----ENVIRONMENT----------------- Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.171-b11 ----ARGUMENTS------------------- input: root algorithm: PBEWithMD5AndDES password: 1Qaz0oKm ----OUTPUT---------------------- NZmLHOOHX0SEjc285iG9YQ==
Copy the result under-OUTPUT-
2. Configure properties files
Configure ENC (Encryption String) into application.properties
server:
port: 8080
spring:
datasource:
url: jdbc:mysql://localhost:3306/test?serverTimezone=UTC&useUnicode=true&characterEncoding=utf-8&useSSL=true
username: ENC(GHK23XVFNHoQQ97vIW523Q==)
password: ENC(aTKef0XcG05Cfzao92EqqQ==)
data-username: com.mysql.cj.jdbc.Driver
jpa:
show-sql: true
database-platform: org.hibernate.dialect.MySQL5InnoDBDialect
database: MYSQL
hibernate:
ddl-auto: update
jasypt:
encryptor:
password: 1Qaz0oKm #Salt required for encryption
#algorithm: PBEWithMD5AndDES # Default encryption PBEWithMD5AndDES, can be changed to PBEWithMD5AndTripleDESClasses corresponding to the encryption method are BasicTextEncryptor and StrongTextEncryptor
private final StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
public BasicTextEncryptor() {
this.encryptor.setAlgorithm("PBEWithMD5AndDES");
}private final StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
public StrongTextEncryptor() {
this.encryptor.setAlgorithm("PBEWithMD5AndTripleDES");
}
3. Configure salt (salt) values at deployment time
1. To prevent salt leaks, reverse the password. You can use commands to pass in salt values when the project is deployed
java -jar -Djasypt.encryptor.password=1Qaz0oKm xxx.jar
2. Or configure it in the server's environment variables to further improve security
Open/etc/profile file
vim /etc/profile
Insert at end of file
export JASYPT_PASSWORD = G0CvDz7oJn6
Compile
source /etc/profile
Function
java -jar -Djasypt.encryptor.password=${JASYPT_PASSWORD} xxx.jarHere is a concrete implementation of myself:https://github.com/eelve/jasypt, using Jasypt to encrypt the database with information, can successfully connect to the database
Official address:https://github.com/ulisesbocchio/jasypt-spring-boot