Skip to main content

Encrypt Properties

Target audience: System administrators & developers

Flowable Work is built on top of Spring Boot.
This means that the Spring Boot mechanism of managing properties is used in order to configure the Flowable applications.
This How-To details two possible alternatives.

Introduction

Spring Boot by default does not offer a way of using encrypted properties. However, there are mechanisms which are build on top of Spring Boot that offer such functionality. Two tested mechanisms are as follows:

  • Spring Cloud Context - Maintained by the same team behind Spring and Spring Boot licensed under the Apache 2.0 License
  • Jasypt Spring Boot - Build on top of jasypt maintained by a voluntary team licensed under the MIT License.

Spring Cloud Context

This How-To will explain the most basic setup using Spring Cloud Context. In case more complex setup is needed, then the documentation for the Spring Cloud Context encryption / decryption and the Spring Cloud Config Encryption needs to be read.

Prerequisites

  • The Spring Boot CLI is installed
  • The Spring Boot Cloud CLI is installed. At the time of writing this How-to this can be installed using spring install org.springframework.cloud:spring-cloud-cli:3.0.2
  • An already configured Flowable Project

Configuring your project

If you are already using Spring Cloud then you can skip this step. Otherwise, the minimum you will need to add is the following dependency:

<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-context</artifactId>
<version>3.0.3</version>
</dependency>

The version can be adapted based on the Spring Boot Version you are using.

note

If you are using the out-of-the-box Flowable Applications then you already have this starting from 3.10.

Using Properties

Once the dependency is part of your project you can use properties in the following way:

encrypt.key=change-me-key
spring.datasource.password={cipher}<encryptedPassword>

Every property that starts with {cipher} is an encrypted property that needs to be decrypted by the decryption mechanism.

info

The encrypt.key should not really be set in your application property files, but rather set as an environment variable on your system. This is the key that is used for decrypting the encrypted values.

It is also possible to use private / public keys for encrypting and decrypting the values. For how to configure that you can read here.

Encrypting properties

In order to encrypt a property we will use the Spring Boot CLI.

e.g.

spring encrypt superSecretPassword --key change-me-key

Running that command will output the encrypted value of "superSecretPassword"

e.g.

9cfd5e04c821828481673aacbf1cb5dc287849d36946000dc1fdddfea4bffa8dc18f9e1f87543be9ee466525eb9b52dd

This can be set as a property in the following way:

application.secret-property={cipher}9cfd5e04c821828481673aacbf1cb5dc287849d36946000dc1fdddfea4bffa8dc18f9e1f87543be9ee466525eb9b52dd

Jasypt Spring Boot

As an alternative to using the Spring Cloud approach shown above, the instructions below provide a solution based on using Jasypt Spring Boot. More details of Jasypt encryption library can be found at http://www.jasypt.org

Configuring your project

Add the following dependency to your project pom.xml

<!-- Jasypt property encryption -->
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>${jasypt-spring-boot-starter.version}</version>
</dependency>
note

The property used above jasypt-spring-boot-starter.version should be set as a property in the pom.xml file.
Make sure you check for the latest version here: jasypt-spring-boot-starter

Encrypting properties

Now that we have the necessary libraries installed we can define a secret key and select our encryption algorithm. The available encryption algorithms are determined by the available PBE (Password Based Encryption) algorithms in your JVM. You can use the Jasypt command line utility Listing algorithms to get a list of available algorithms.

For this exercise, we will be using the following algorithm: PBEWithMD5AndTripleDES

For our secret key, we will be using : superSecret

note

Please ensure you choose your own non trivial encryption password

We are now ready to generate our encrypted property. There are a couple of ways to do this, the first would be to download the Jasypt command line tools from Jasypt CLI Tools

Alternatively, and the procedure we will use, is to directly call the jar from our maven repository.
Below we encrypt the property value flowable

cd <homedir>/.m2/repository/org/jasypt/jasypt/1.9.3
java -cp ./jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI password=superSecret algorithm=PBEWithMD5AndTripleDES input=flowable

----ENVIRONMENT-----------------

Runtime: Eclipse Adoptium OpenJDK 64-Bit Server VM 17.0.8.1+1



----ARGUMENTS-------------------

input: flowable
password: superSecret
algorithm: PBEWithMD5AndTripleDES



----OUTPUT----------------------

8tNkPmVUg/2lGBYwHRt8GTdPNB3LMknb

This generates the encrypted value for flowable using the seed key superSecret and algorithm PBEWithMD5AndTripleDES

Finally, we are ready to use this encrypted property value in our properties file.

Using Properties

Once the dependency is part of your project you can use properties in the following way:

jasypt.encryptor.password=superSecret
jasypt.encryptor.algorithm=PBEWithMD5AndTripleDES
jasypt.encryptor.iv-generator-classname: org.jasypt.iv.NoIvGenerator

spring.datasource.password=ENC(<encryptedPassword>)

Every property that starts with ENC is an encrypted property that needs to be decrypted by the decryption mechanism.

info

The jasypt.encryptor.password should not really be set in your application property files, but rather set as an environment variable on your system. This is the key that is used for decrypting the encrypted values.

The above example does not use an initialization vector org.jaspyt.iv.NoIvGenerator
For additional security, you may choose to set a different initialization vector class.
Other options can be found here: Package org.jasypt.iv