Spring Cloud Config Encryption and decryption

To use the encryption and decryption features, you need to install a full jce in the JVM (which does not exist by default). You can download the Java Encryption Extensions (JCE) unlimited Strength management policy file from Oracle and follow the installation instructions (in effect replacing the 2 policy files in the JRE lib/security directory with the files you downloaded).

If the remote property source contains encrypted content (values beginning with {cipher}), they will be decrypted before being sent over HTTP to the client. The main advantage of this setting is that when they are "stationary," the property value does not have to be plain text (for example, in a Git repository). If the value cannot be decrypted, the value is removed from the property source and additional properties with the same key are added, but prefixed with "invalid". and "Not applicable" values (usually "<n/a>"). This is primarily to prevent passwords from being used as passwords and accidental leaks.

If you are setting up a remote configuration repository for a config client application, you may have a application.yml, for example:

Application.yml

spring:  datasource:    username: dbuser    password: ‘{cipher}FKSAJDFGYOS8F7GLHAKERGFHLSAJ‘

The encrypted value in the. properties file cannot be enclosed in quotation marks, or the value will not be decrypted:
Application.properties

spring.datasource.username: dbuserspring.datasource.password: {cipher}FKSAJDFGYOS8F7GLHAKERGFHLSAJ

You can safely push this plain text to a shared git repository with a secret password.

The server also exposes the/encrypt and/decrypt endpoints (assuming that the endpoints will be protected and accessible only by authorized agents). If you are editing a remote configuration file, you can use config server to encrypt values by post to the/encrypt endpoint, for example

$ curl localhost:8888/encrypt -d mysecret682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda

The reverse operation can also be obtained through/DECRYPT (if the server is configured with a symmetric key or full key pair):

Note If the values that you want to encrypt have characters that require URL encoding, you should use the--data-urlencode option curl to ensure that they are correctly encoded.

$ curl localhost:8888/decrypt -d 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bdamysecret

If you are testing with curl, use--data-urlencode (instead of-D) or set explicit content-type:text/plain to ensure that the data is encoded correctly when there are special characters (' + ' especially tricky).

Add the encrypted value to the {cipher} prefix, and then place it in a Yaml or property file before committing and pushing it to a remote potentially unsafe store.

The/encrypt and/decrypt endpoints also accept paths in the form of/*/{name}/{profiles}, which can be used for each application (name) and configuration file control password when the client calls to the primary environment resource.

Note In order to control the password in this subtle way, you must also provide a textencryptorlocator type of @bean that can create different ciphers for each name and configuration file. This is not provided by default (all encryption uses the same key).

The spring command-line client (with the Spring Cloud CLI extension installed) can also be used for encryption and decryption, such as

$ spring encrypt mysecret --key foo682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda$ spring decrypt --key foo 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bdamysecret

To use a key in a file (for example, an RSA public key for encryption), type the key value with "@" and provide the file path, for example

$ spring encrypt mysecret --key @${HOME}/.ssh/id_rsa.pubAQAjPgt3eFZQXwt8tsHAVv/QHiY5sI2dRcR+...

The key parameters are mandatory (although there is a--prefix).

Spring Cloud Config Encryption and decryption