rewritten doc about jasypt password encryption and decryption #298
Conversation
There was a problem hiding this comment.
@ravicm2 thanks for all your investigation to take this further and for creating this PR. 👍
IMHO this story is not so easy and I added some questions and review comments. Let us see what we can clarify easily and quickly. For all remaining aspects we might better do a call together...
| A simple but reasonable approach is to configure the passwords encrypted with a master-password. The master-password should be a strong secret that is specific for each environment. It must never be committed to version-control. | ||
| In order to support encrypted passwords in spring-boot `application.properties` all you need to do is to add https://github.com/ulisesbocchio/jasypt-spring-boot#jasypt-spring-boot[jasypt-spring-boot] as dependency in your `pom.xml`(please check for recent version): | ||
| [source, xml] | ||
| Let us have a look how to encrypt password using `jasypt-springboot-starter` and `jasypt-springboot`. |
There was a problem hiding this comment.
should be jasypt-spring-boot-starter
| </dependency> | ||
| ---- | ||
|
|
||
| Please check the latest version link:https://mvnrepository.com/artifact/com.github.ulisesbocchio/jasypt-spring-boot-starter[here] . |
| ----ARGUMENTS------------------- | ||
| ARGUMENTS |
There was a problem hiding this comment.
just for clarification:
This was the raw output of jasypt CLI.
Has this been changed, as I produced invalid ASCIIDOC since the 5 dashes indicate the end of the source?
We could also simply change the 5 dashes opening and ending to 3 backticks instead.
There was a problem hiding this comment.
should we also replace the example data to fit with the new encryption algorithm?
There was a problem hiding this comment.
@hohwille do you mean example provided here in the document or any other application already there for jasypt?
There was a problem hiding this comment.
I was only talking about the output of jasypt CLI where I annotated this review comment. With example I am talking about the used data
input: postgres
password: secret
and especially the produced result that IMHO will change as the suggested security algorithm changed with this PR. Also a question would be if the CLI changes or a different Main-Class needs to be used for this now.
|
|
||
| jd5ZREpBqxuN9ok0IhnXabgw7V3EoG2p | ||
| ---- | ||
|
|
||
| The master-password can be configured on your target environment via the property `jasypt.encryptor.password`. As system properties given on the command-line are visible in the process list, we recommend to use an `config/application.yml` file only for this purpose (as we recommended to use `application.properties` for regular configs): |
There was a problem hiding this comment.
why has this section been removed? It IMHO contains relevant information that is now missing.
There was a problem hiding this comment.
I have added this at line number 327
There was a problem hiding this comment.
But you "removed" the info that the property is called jasypt.encryptor.password. I always welcome if people make our documentation more detailed/expressive, but we should avoid removing valuable info.
| New configuration class is required for `Jasypt-springboot` dependency and we need to add the annotation `@EncryptablePropertySource` at the class level. | ||
|
|
||
| Below is an example, | ||
|
|
||
| [source,java] | ||
| ---- | ||
| @Configuration | ||
| @EncryptablePropertySource("encrypted.properties") | ||
| public class AppJasyptConfig { | ||
| } | ||
| ---- | ||
|
|
||
| And a service class to map the property in encrypted.properties. | ||
| [source,java] | ||
| ---- | ||
| @Service | ||
| public class PropertyMapperJasypt { | ||
|
|
||
| @Value("${encrypted.property}") | ||
| private String property; | ||
|
|
||
| public String getProperty() { | ||
| return property; | ||
| } | ||
| } | ||
| ---- | ||
| Using the above service class and setting the secret key which we used for encryption, we can easily retrieve the encrypted.property. |
There was a problem hiding this comment.
This is an example that sounds more like a "tutorial to get started with jasypt" to me. IMHO we need a clear pattern/best practice how to do it properly.
| @Bean(name = "encryptorBean") | ||
| public StringEncryptor stringEncryptor() { | ||
| PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor(); | ||
| SimpleStringPBEConfig config = new SimpleStringPBEConfig(); | ||
| config.setPassword("password"); | ||
| config.setAlgorithm("PBEWithMD5AndDES"); | ||
| config.setKeyObtentionIterations("1000"); | ||
| config.setPoolSize("1"); | ||
| config.setProviderName("SunJCE"); | ||
| config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator"); | ||
| config.setStringOutputType("base64"); | ||
| encryptor.setConfig(config); | ||
| return encryptor; | ||
| } |
There was a problem hiding this comment.
So are these the parameters that make the encrpytion secure according to state of the art?
Did you align this with @maybeec or where did you get this code from?
There was a problem hiding this comment.
No i have not discussed regarding this with @maybeec but this is an example i learned from a tutorial. This is one type of creating custom encryptor. we add change the parameters differently
There was a problem hiding this comment.
This config allows you to adapt the algorithm.
Anyhow the algorithm used here is the standard one which is quite insecure. Anyhow, at the time I tried making it more secure I was not able to get any other algorithm to work for any reason. Possibly this has been fixed meanwhile!?
Sure @hohwille . May be tomorrow we can have a call regarding this. May be we can include @maybeec if he is free. |
|
Ravichandran M seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
|
This PR is IMHO replaced by PR #332. |
No description provided.