Encrypting Properties File Values with Jasypt
What's the fuzz all about?
- Spring 3.1+
- Jasypt 1.9.0+
As an example for a file like mail.properties it would contain key-value pairs used by the application to configure a web-application at different stages of the running web application.
Plain Text Values In Properties FilesThe following code snippet below is a typical example of a property configuration for an SMTP service. Note that the username and password entries are provided in clear text.
Code Snippet 1. Property file values
As you can see sensitive information like the username and password is stored in plain text. To make it even worst, we check this in to a source repository like github. Wouldn't it be nice if we could encrypt username and password values?
Encrypted Values in Properties File
With Jasypt you can enter encrypted values by enclosing them with ENC('value'). The values are decrypted in-memory (i.e. during load-time) using a Jasypt-based extension of Spring Framework's org.springframework.context.support.PropertySourcesPlaceholderConfigurer.
Code Snippet 2. Jasypt TextEncryptor solution for encrypting property file values.
Encrypting the property value using Jasypt
Standard Property Placeholder Configuration
The following configuration is a spring framework's standard property placeholder configuration.
Code Snippet 3. Standard Property Placeholder Configuration
Jasypt Text Encryptor Configuration
The code snippet shown below enables the jasypt BasicTextEncryptor implementation with an override to the standard spring property placeholder configuration.
Code Snippet 4. Jasypt TextEncryptor Configuration
You may want to vary your configuration for each environment. For instance dev would be just the default Spring PropertySourcesPlaceholderConfigurer and stage, prod would use Jasypt's EncryptablePropertySourcesPlaceholderConfigurer. One would use Spring Framework Profile Feature (or equivalent) to vary configurations between deployment but this type of discussion is beyond the scope of this blog.
Code Snippet 5. Mail Sender Bean Configuration
Code Snippet 6. Spring Annotation-based Configuration
Generating Salted Encrypted Values
I created an example of how you would produce an encrypted value using a JUnit test class.
The JUnit test shown on the code snippet below is an example code for generating the encrypted value.
Update the secret password as needed but make sure not to check-in the real one.
Note that each time you run the test it will produce a different encrypted text value because the encryption is salted. SEE TextEncryptorTest.java
Code Snippet 7. Unit example for generating an encrypted value
After running the JUnit code on Code Snippet 7, use the encrypted text value and enclose it with ENC() in any of your sourced properties file.
Code Snippet 8. Encrypted property value example
SummaryPlease note that the caveat here is that this solution is not entirely secure at runtime. One can certainly debug an application and see the clear-text value of the encrypted property.
The entire source code can be pulled at github xmx1024. Please feel free to fork it.