Overview: Earlier post I was demonstrating basic of spring cloud config. Now in this post, we will see how we can use secure properties in the spring cloud config. Before continuing on this, I recommend you to first go through the previous post.
Secure properties: Almost every application has some kind of configuration that can’t be exposable, some are very sensitive and should be limited access. we generally pronounce it secure properties.
There are multiple ways you can secure your properties like using Cerberus, Hashicorp vault with consul backend, Cyberark password vault, and aim, confidant, Credstash etc. Here we are going to use the simplest way that may not as powerful as the above tools but secure and very easy to use.
Let’s implement this, in a sample code,
First, generate a key store. assuming you are aware of keytool.
keytool -genkeypair -alias mytestkey -keyalg RSA \ -dname "CN=Web Server,OU=Unit,O=Test,L=City,S=State,C=IN" \ -keypass changeme -keystore server.jks -storepass testPassword
Then place server.jks to resource folder in cloud config server project, after that edit bootstrap.properties(or .yaml). and add below properties.
| Properties | Description |
| encrypt.keyStore.location | Contains a resource(.jks file) location |
| encrypt.keyStore.password | Holds the password that unlocks the keystore |
| encrypt.keyStore.alias | Identifies which key in the store to use |
| encrypt.keyStore.secret | secret to encrypt or decrypt |
e.g
encrypt.keyStore.location=server.jks encrypt.keyStore.password=testPassword encrypt.keyStore.alias=mytestkey encrypt.keyStore.secret=changeme
That’s it and now restart config server.
There is encryption and decryption endpoint expose by config server.
Let’s take a simple example, where we will try to encrypt and decrypt ‘testKey’.
#curl localhost:8888/encrypt --data-urlencode testKey
output:
AQAYqm8ax79kPFGT0sOvV8i8uN0GDLsToULmflVNYKf95bpyAKLIV4eCFVdNJpgb7SyS808a3uTjvQBj1SrIwFlQktRpln8ykpWUG3NdPM6aPf5k4yRhNkG43S5lCckmyLTH8CIzoSSFQeKoFuk4zPiAPTMchTP9qtAYG2EwbdWU1/a9xqoDJb9OQbSsEr0wp2Ud+HlG02NGF2qmhxL7kW5BJxTsGdZG2J8qwhkPYreYF6UQlehmheWCAJBzfBw4peT9LOxi7rA0sHD78xle7Bahziyc+WOETADloKfSowERNY5FCOe4/ywhcHpJuCk+6NPok3KVI+jMTXdSpqMmfxBNc764hHjlhpablwNcRPDv8XGCdstdy4Esb9/eXTZgh0g=
#curl localhost:8888/decrypt --data-urlencode AQAYqm8ax79kPFGT0sOvV8i8uN0GDLsToULmflVNYKf95bpyAKLIV4eCFVdNJpgb7SyS808a3uTjvQBj1SrIwFlQktRpln8ykpWUG3NdPM6aPf5k4yRhNkG43S5lCckmyLTH8CIzoSSFQeKoFuk4zPiAPTMchTP9qtAYG2EwbdWU1/a9xqoDJb9OQbSsEr0wp2Ud+HlG02NGF2qmhxL7kW5BJxTsGdZG2J8qwhkPYreYF6UQlehmheWCAJBzfBw4peT9LOxi7rA0sHD78xle7Bahziyc+WOETADloKfSowERNY5FCOe4/ywhcHpJuCk+6NPok3KVI+jMTXdSpqMmfxBNc764hHjlhpablwNcRPDv8XGCdstdy4Esb9/eXTZgh0g=
output:
testKey
As our keystore file containing public and private key so we can able to encrypt and decrypt properties.
In the case of config client, we do not have to do any extra step except below one, whenever we use encrypted property that has to start with ‘{cipher}’, for example
user.password={cipher}5lCckmyLTH8CIzoSSFQeKoFuk4zPiAPTMchTP9qtA
Caution: encrypted data should not be within single or double quotes.
In a case when a client wants to decrypt configuration locally
First,
If you want to encrypt and decrypt endpoint not work, Then comment all properties that start with encrypt.* and include the new line as below
spring.cloud.config.server.encrypt.enabled=false
Include keystore(.jks) file in client project and update below properties in bootstrap.properties(or .yaml) file
encrypt.keyStore.location=server.jks
encrypt.keyStore.password=testPassword
encrypt.keyStore.alias=mytestkey
encrypt.keyStore.secret=changeme
That’s all, now client project not going to connect with the server to decrypt properties.
Summary: We can secure our external properties using spring cloud config in fewer efforts, That may easily fulfill small or mid-scale project requirement.
Hope you like this 🙂
Follow @nikeshpathak
Nikesh Pathak 