Forem

Ed Legaspi
Ed Legaspi

Posted on • Originally published at czetsuyatech.com

How to Use Jasypt or Jce to Encrypt Passwords in Spring Config

Jasypt and JCE are two encryption protocols that we can use in our Spring config to secure passwords. For example, if you wanted to encrypt the API token of your Github repository. Or encrypting the Spring config server's security.user.password value.

Jasypt Example

Instruction on how we can use Jasypt in our Spring Boot application security.

  1. Create a new Spring project, we will use it to encrypt our password.

  2. Include jasypt dependency.

<dependency>
  <groupId>com.github.ulisesbocchio</groupId>
  <artifactId>jasypt-spring-boot-starter</artifactId>
  <version>3.0.3</version>
</dependency>
Enter fullscreen mode Exit fullscreen mode
  1. Use this code block to encrypt a string.
private static void encryptString() {
    StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
    encryptor.setPassword("password");
    encryptor.setAlgorithm("PBEWITHSHA1ANDDESEDE");
    encryptor.setIvGenerator(new RandomIvGenerator());

    String result = encryptor.encrypt("Hello World!");
    System.out.println("encrypted=" + result); // prints differently on each run

    result = encryptor.decrypt(result);
    System.out.println("decrypted=" + result);
}
Enter fullscreen mode Exit fullscreen mode
  1. To use it in Spring security, we must set add these security lines in Spring config's bootstrap.xml file
security:
    user:
        name: czetsuya
        password: ENC(3E31QZ4Ih8kbEYl141+Hd8zG1N/Pt9c60nHkGX9lnG4=)
Enter fullscreen mode Exit fullscreen mode
  1. And on the service side Spring application, we need to configure the Spring cloud config location and jasypt encryptor password.
spring:
  cloud:
    config:
      uri: http://localhost:8888
      username: czetsuya
      password: ENC(T9aWpcoGGXGV6x+D/oiJGWkvJSBjwEmpLaBy7utknQo=)

jasypt:
    encryptor:
        password: password # or you can replace this with an environment variable ${JASYPT_ENCRYPTOR_PASSWORD}
Enter fullscreen mode Exit fullscreen mode

JCE Example
Instruction on how we can use JCE in our Spring Boot application security.

To make this exercise easier on Windows, I'll be using WSL2 to run Ubuntu and install sdkman.

You must also take note of the latest spring-boot-cli version from https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-cli

Follow this guide https://sdkman.io/install. Check if it succeeded by running the command sdkman version in a terminal.

Execute the following commands:

# install spring
sdk install springboot

# install spring-cloud-cli
spring install org.springframework.cloud:spring-cloud-cli:3.0.2

# encrypt your text
spring encrypt 'Hello World!' --key 'password'
# results in 5f8aaa3be65f159b439008faf1d4efb5eb6c6d3d8ccd9ddfe5028decb5c3b2c1
# should be different on each run

# decrypt the text
spring decrypt 5f8aaa3be65f159b439008faf1d4efb5eb6c6d3d8ccd9ddfe5028decb5c3b2c1 --key 'password'
Enter fullscreen mode Exit fullscreen mode

As before we need to set the encrypted password both in the Spring cloud config server and client. This time instead of using 'ENC', we will use 'cipher'.

Server

security:
    user:
        name: czetsuya
        password: 'cipher{5f8aaa3be65f159b439008faf1d4efb5eb6c6d3d8ccd9ddfe5028decb5c3b2c1}'
Enter fullscreen mode Exit fullscreen mode

Client

spring:
  cloud:
    config:
      uri: http://localhost:8888
      username: czetsuya
      password: 'cipher{3079cb49646bf1a11dc15e3563c16cb3fb614aebdb5fe389f75d48d3ac43ae6f}'

encrypt:
  key: password # or you can replace this with an environment variable ${ENCRYPT_KEY}
Enter fullscreen mode Exit fullscreen mode

And there you go folks, stop committing your password in plaintext on public repositories :-)

Top comments (0)