Use Jasypt to encrypt the application s of the SpringBoot project
This article focuses on why to encrypt sensitive information in SpringBoot's application, how to use jasypt spring boot project to encrypt application * and suggestions on encryption strategies. Record some experience of application encryption.
What's in the application
To know why you want to encrypt the application, you must first know what the application has. Friends and farmers who have used SpringBoot must understand that some configuration information of the whole system will be loaded when the system starts, such as database connection information, redis configuration information, log output configuration, etc. These configuration information have some common characteristics, They are global (the whole system uses this one), static (the old program will not change after running), and environment related (some values need to be changed in different environments). Of course, these things can be written directly in the program, but we don't want to change the code when changing the environment. Therefore, the emergence of this application is essential, and many sensitive information such as passwords and keys are recorded in it.
Why encrypt
As mentioned above, this key information such as database password and program key is recorded in the application. If these information is obtained by hackers due to system vulnerabilities, the loss will be incalculable.
How to encrypt
This article uses Jasypt-Spring-Boot For encryption, the use of jasypt spring boot is very simple.
- Introduce dependency
- If your SpringBoot project uses @ SpringBootApplication or @ EnableAutoConfiguration, as follows:
Use the following dependencies@SpringBootApplication public class MyApplication { public static void main(String[] args) { SpringApplication.run(MyApplication .class, args); } }
<dependency> <groupId>com.github.ulisesbocchio</groupId> <artifactId>jasypt-spring-boot-starter</artifactId> <version>3.0.4</version> </dependency>
- If not, use the following dependencies
Add notes at the program entry:<dependency> <groupId>com.github.ulisesbocchio</groupId> <artifactId>jasypt-spring-boot</artifactId> <version>3.0.4</version> </dependency>
@Configuration @EnableEncryptableProperties public class MyApplication { }
- If your SpringBoot project uses @ SpringBootApplication or @ EnableAutoConfiguration, as follows:
- Next, key information is encrypted
- Mark the contents in the configuration file that need to be encrypted with the following symbols
spring: datasource: url: jdbc:mysql://localhost:3306/test?useUnicode=true&characterEncoding=utf-8&serverTimezone=Asia/Shanghai username: root password: DEC(123456) #Here, you need to encrypt the password 123456 and enclose it with DEC()
- Introducing the Jasypt plug-in
<build> <plugins> <plugin> <groupId>com.github.ulisesbocchio</groupId> <artifactId>jasypt-maven-plugin</artifactId> <version>3.0.4</version> </plugin> </plugins> </build>
- Execute the following command to SRC \ main \ resources \ application Properties
mvn jasypt:encrypt -Djasypt.encryptor.password="the password"
- If the configuration file is not application Properties, use the following command to specify the file name for encryption
Note: using CMD to execute commands under Windows system will change the whole file into GBK code. It is more reliable to use BASH or IDEA's own commandsmvn jasypt:encrypt -Djasypt.plugin.path="file:src/main/resources/application.yml" -Djasypt.encryptor.password="the password"
- Here is the result of encryption. The original DEC becomes ENC, which means that encryption has been completed.
spring: datasource: url: jdbc:mysql://localhost:3306/test?useUnicode=true&characterEncoding=utf-8&serverTimezone=Asia/Shanghai username: root password: ENC(STxPwhemkd3r5ugshWeRywkH//rGhCq4KjhIMm1xZoc5lW07sO6/nfh684Q4r3kQ)
- Mark the contents in the configuration file that need to be encrypted with the following symbols
- Here we are ready to start the application
- Since the password has been encrypted, there needs to be a place to tell the program what the decrypted key is. Therefore, add another parameter in the application to record the encrypted key
jasypt: encryptor: password: the password # Don't encrypt this place. No one knows what the password is
- When you start the application at this time, you will find that the program starts normally. If the startup fails, there is still a problem with the configuration. Try again according to the above steps.
- Since the password has been encrypted, there needs to be a place to tell the program what the decrypted key is. Therefore, add another parameter in the application to record the encrypted key
Encryption policy
- Since you are afraid that the application file will be stolen by hackers, writing the key plaintext in the application means that there is no encryption
- Here, you can add the key to the startup command when starting the SpringBoot application, as shown below:
java -jar application.jar --jasypt.encryptor.password=YourPassword