The EncryptionResolver decrypts secrets generated by the ConfigServer encryption method. For more details on generating secrets you should read Spring Cloud and the Spring Cloud Config documentation on encrypting and decrypting.
The two main use cases for the EncryptionResolver are:
- Decrypting encrypted secrects hosted by configserver
- Storing encrypted secrets in a git repository
The EncryptionResolver can be enabled as follows:
builder.Host.ConfigureServices((context, services) => services.ConfigureEncryptionResolver(context.Configuration));
This will use the Spring Cloud Config encryption.
Any configuration property prefixed with 'cipher' will be decrypted with the provided key
{
"EncryptedSecret": "{cipher}23f97efe......"
}
To decrypt the secrets the configuration of the EncryptionResolver should match the configuration of the encryption.
There are two types of encryption, symmetric and asymmetric. For symmetric encryption a shared key is used to decrypt the secrets:
{
"Encrypt": {
"Enabled": true,
"Key": "12345678901234567890"
}
}
NOTE: This shared key should not be part of any repository but should be passed in some other way to the application.
For asymmetric encryption, the configuration should be as follows:
{
"Encrypt": {
"Enabled": true,
"KeyStore": {
"Location": "path/to/keystore",
"Password": "keystore_password",
"Alias": "keyalias"
}
}
}
NOTE: This password and the keystore file should not be part of any repository but should be passed in some other way to the application.
The following table describes the settings that you can apply to the EncryptionResolver:
Key | Description | Default |
---|---|---|
Encrypt:Enabled |
Enable decryption of encrypted {cipher} properties | false |
Encrypt:Rsa:Strong |
When set to true, the "strong" GCM AES algorithm is used. When false, the standard CBC algorithm is used. | false |
Encrypt:Rsa:Salt |
Salt for the random secret used to encrypt cipher text. | deadbeef |
Encrypt:Rsa:Algorithm |
The RSA algorithm to use (DEFAULT or OAEP). | DEFAULT |
Encrypt:KeyStore:Location |
Location of the key store file. Only PKCS12 store is supported. | |
Encrypt:KeyStore:Password |
Password that locks the keystore. | |
Encrypt:KeyStore:Alias |
Alias for a key in the store. | |
Encrypt:Key |
A symmetric key. As a stronger alternative consider using a keystore |
You can use your own encryption algorithm by implementing the ITextDecryptor interface:
public class MyDecryption: ITextDecryptor
{
public string Decrypt(string fullCipher)
{
....
}
public string Decrypt(string fullCipher, string alias)
{
....
}
}
Registration is done using the overloaded ConfigureEncryptionResolver method:
builder.Host.ConfigureServices((context, services) => services.ConfigureEncryptionResolver(context.Configuration, new MyDecryption()));
NOTE: Creating encryption algorithms is notoriously difficult. Only use this if you know what you are doing.