Spring Cloud Config Encryption and decryption

To use the encryption and decryption features, you need to install a full jce in the JVM (which does not exist by default). You can download the Java Encryption Extensions (JCE) unlimited Strength management policy file from Oracle and follow the installation instructions (in effect replacing the 2 policy files in the JRE lib/security directory with the files you downloaded).

If the remote property source contains encrypted content (at {cipher} the beginning of the value), they will be decrypted before being sent over HTTP to the client. The main advantage of this setting is that when they are "stationary," the property value does not have to be plain text (for example, in a Git repository). If the value cannot be decrypted, the value is removed from the property source and additional properties with the same key are added, but prefixed with "invalid". and "Not applicable" values (usually "<n/a>"). This is primarily to prevent passwords from being used as passwords and accidental leaks.

If you are setting up a remote configuration repository for a config client application, you might include one application.yml , for example:

Application.yml

Spring:  DataSource:    username:dbuser    '{cipher}fksajdfgyos8f7glhakergfhlsaj  '

The encrypted value in the properties file cannot be enclosed in quotation marks, or the value will not be decrypted:

Application.properties

Spring.datasource.username:dbuserspring.datasource.password: {Cipher}fksajdfgyos8f7glhakergfhlsaj

You can safely push this plain text to a shared git repository with a secret password.

The server also exposes /encrypt and /decrypt endpoints (assuming that these endpoints will be protected and accessible only by authorized agents). If you are editing a remote configuration file, you can use config server to encrypt the value by post to the /encrypt endpoint, for example

$ curl localhost:8888/encrypt-D Mysecret682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda

The reverse operation can also be /decrypt obtained (if the server is configured with a symmetric key or a full key pair):

Note If the values that you want to encrypt have characters that require URL encoding, you should use the --data-urlencode option curl to ensure that they are correctly encoded.

$ curl localhost:8888/decrypt-D 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bdamysecret

If you are testing with curl, use --data-urlencode (not -d ) or set explicit to Content-Type: text/plain ensure that the data is encoded correctly when there are special characters (' + ' especially tricky).

Add the encrypted value to the {cipher} prefix, and then put it in the Yaml or properties file, and then commit and push it to a remote potentially unsafe store.

/encryptAnd /decrypt endpoints also accept /*/{name}/{profiles} the form of paths that can be used for each application (name) and profile control password when the client calls to the main environment resource.

Note In order to control the password in this subtle way, you must also provide a TextEncryptorLocator type @Bean that can create a different dongle for each name and configuration file. This is not provided by default (all encryption uses the same key).

springThe command-line client (with the Spring Cloud CLI extension installed) can also be used for encryption and decryption, such as

$ spring Encrypt MySecret----key foo 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bdamysecret

To use a key in a file (for example, an RSA public key for encryption), type the key value with "@" and provide the file path, for example

$ spring Encrypt mysecret--key @${home}/.ssh/id_rsa.pubaqajpgt3efzqxwt8tshavv/QHIY5SI2DRCR ...

The key parameters are mandatory (although there is a -- prefix).

Spring Cloud Config Encryption and decryption