---
toc: true
comments: true
layout: post
title: Password Security
description: How to manage secret and password files in application.properties
author: William Wu
---

# Use of Environment Variables

Store secret values as environment variables on the server where your application is deployed. Spring Boot can automatically pick up these environment variables and use them as configuration properties. Replace the sensitive values in the application.properties file with placeholders referencing the corresponding environment variables. This will allow credentials to not be leaked when pushing to github.

Ex:
Instead of 

In [None]:
spring.datasource.password = password123

You can instead do this

In [None]:
spring.datasource.password = ${DB_PASSWORD}

and have DB_PASSWORD defined as "password123" in the .env file

### How to set env file up

1. Create a .env file
2. Set the variables and values
3. Import the dotenv package into the file you want to use the variables
4. Use in code as shown above

# Secure the Config File
You can encrypt sensitive values in config files. Below is one tool that can serve this purpose

## Jaspyt

How to use:
- Add the dependency

In [None]:
<dependency>
    <groupId>org.jasypt</groupId>
    <artifactId>jasypt-spring-boot-starter</artifactId>
    <version>3.0.3</version>
</dependency>


- Define Encryption Configuration

Set the following in application.properties or application.yml

In [None]:
jasypt.encryptor.password=your-encryption-password

Where "your-encryption-password" is your encryption password.

- Encrypt in application.properties or application.yml

In [None]:
db.password=ENC(mysecretpassword)

try:
    with open(f"{apk_file}.json", "w", encoding="utf-8") as json_file:
        json_file.write(result_json)
except Exception as e:
    print(f"Error while saving JSON file: {str(e)}")

where the ENC prefix is encrypting the password

- Use Spring as normal. It will automatically decrypt the credentials when needed

## Resources

- Chatgpt
- Google
- [Jaspyt](https://www.baeldung.com/spring-boot-jasypt)