Encrypt Properties
Target audience: System administrators & developers
Flowable Work is built on top of Spring Boot.
This means that the Spring Boot mechanism of managing properties is used in order to configure the Flowable applications.
This How-To details two possible alternatives.
Introduction
Spring Boot by default does not offer a way of using encrypted properties. However, there are mechanisms which are build on top of Spring Boot that offer such functionality. Two tested mechanisms are as follows:
- Spring Cloud Context - Maintained by the same team behind Spring and Spring Boot licensed under the Apache 2.0 License
- Jasypt Spring Boot - Build on top of jasypt maintained by a voluntary team licensed under the MIT License.
Spring Cloud Context
This How-To will explain the most basic setup using Spring Cloud Context. In case more complex setup is needed, then the documentation for the Spring Cloud Context encryption / decryption and the Spring Cloud Config Encryption needs to be read.
Prerequisites
- The Spring Boot CLI is installed
- The Spring Boot Cloud CLI is installed. At the time of writing this How-to this can be installed using
spring install org.springframework.cloud:spring-cloud-cli:3.0.2 - An already configured Flowable Project
Configuring your project
If you are already using Spring Cloud then you can skip this step. Otherwise, the minimum you will need to add is the following dependency:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-context</artifactId>
<version>3.0.3</version>
</dependency>
The version can be adapted based on the Spring Boot Version you are using.
If you are using the out-of-the-box Flowable Applications then you already have this starting from 3.10.
Using Properties
Once the dependency is part of your project you can use properties in the following way:
encrypt.key=change-me-key
spring.datasource.password={cipher}<encryptedPassword>
Every property that starts with {cipher} is an encrypted property that needs to be decrypted by the decryption mechanism.
The encrypt.key should not really be set in your application property files, but rather set as an environment variable on your system.
This is the key that is used for decrypting the encrypted values.
It is also possible to use private / public keys for encrypting and decrypting the values. For how to configure that you can read here.
Encrypting properties
In order to encrypt a property we will use the Spring Boot CLI.
e.g.
spring encrypt superSecretPassword --key change-me-key
Running that command will output the encrypted value of "superSecretPassword"
e.g.
9cfd5e04c821828481673aacbf1cb5dc287849d36946000dc1fdddfea4bffa8dc18f9e1f87543be9ee466525eb9b52dd
This can be set as a property in the following way:
application.secret-property={cipher}9cfd5e04c821828481673aacbf1cb5dc287849d36946000dc1fdddfea4bffa8dc18f9e1f87543be9ee466525eb9b52dd
Jasypt Spring Boot
As an alternative to using the Spring Cloud approach shown above, the instructions below provide a solution based on using Jasypt Spring Boot. More details of Jasypt encryption library can be found at http://www.jasypt.org
Configuring your project
Add the following dependency to your project pom.xml
<!-- Jasypt property encryption -->
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>${jasypt-spring-boot-starter.version}</version>
</dependency>
The property used above jasypt-spring-boot-starter.version should be set as a property in the pom.xml file.
Make sure you check for the latest version here: jasypt-spring-boot-starter
Encrypting properties
Now that we have the necessary libraries installed we can define a secret key and select our encryption algorithm. The available encryption algorithms are determined by the available PBE (Password Based Encryption) algorithms in your JVM. You can use the Jasypt command line utility Listing algorithms to get a list of available algorithms.
For this exercise, we will be using the following algorithm: PBEWithMD5AndTripleDES
For our secret key, we will be using : superSecret
Please ensure you choose your own non trivial encryption password
We are now ready to generate our encrypted property. There are a couple of ways to do this, the first would be to download the Jasypt command line tools from Jasypt CLI Tools
Alternatively, and the procedure we will use, is to directly call the jar from our maven repository.
Below we encrypt the property value flowable
cd <homedir>/.m2/repository/org/jasypt/jasypt/1.9.3
java -cp ./jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI password=superSecret algorithm=PBEWithMD5AndTripleDES input=flowable
----ENVIRONMENT-----------------
Runtime: Eclipse Adoptium OpenJDK 64-Bit Server VM 17.0.8.1+1
----ARGUMENTS-------------------
input: flowable
password: superSecret
algorithm: PBEWithMD5AndTripleDES
----OUTPUT----------------------
8tNkPmVUg/2lGBYwHRt8GTdPNB3LMknb
This generates the encrypted value for flowable using the seed key superSecret and algorithm PBEWithMD5AndTripleDES
Finally, we are ready to use this encrypted property value in our properties file.
Using Properties
Once the dependency is part of your project you can use properties in the following way:
jasypt.encryptor.password=superSecret
jasypt.encryptor.algorithm=PBEWithMD5AndTripleDES
jasypt.encryptor.iv-generator-classname: org.jasypt.iv.NoIvGenerator
spring.datasource.password=ENC(<encryptedPassword>)
Every property that starts with ENC is an encrypted property that needs to be decrypted by the decryption mechanism.
The jasypt.encryptor.password should not really be set in your application property files, but rather set as an environment variable on your system.
This is the key that is used for decrypting the encrypted values.
The above example does not use an initialization vector org.jaspyt.iv.NoIvGenerator
For additional security, you may choose to set a different initialization vector class.
Other options can be found here: Package org.jasypt.iv