background
Originally, the database and middleware account passwords in the project were configured directly in plain text. After all, this is the most convenient development, and no one cares about this in normal times.
However, when deployed in actual projects, Party A found this first when conducting a security inspection and asked us to make rectifications, so we could only do it.
I found some information online, and it seems that most of them use Jasypt encryption tools to operate. I read other blogs on Jasypt's official website and found that it is more convenient to use, so I just recorded it simply.
Extensions:
Directly pre-research on sensitive data encryption technology, not only encrypting configuration files, but also understanding sensitive data from other interfaces through the background, including data encryption, how to perform fuzzy query after encryption, etc., which will be written in subsequent blogs.
Of course, this is all a later story. Let’s directly operate Jasypt to encrypt the configuration file account password.
Practice Jasypt
1. Introduce dependencies
<!-- /artifact//jasypt-spring-boot-starter -->
<dependency>
<groupId></groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>3.0.5</version>
</dependency>
If the startup class in the project does not have@SpringBootApplication or @EnableAutoConfigurationannotation,
Then you need to introduce jasypt-spring-boot dependencies and create configuration classes
And enable@Configuration and @EnableEncryptableProperties, make a statement.
2. Convert the account password to encrypted value
Create a tool class to encrypt our account password
import ;
import ;
import org.;
import org.;
/**
* Jasypt encryption tool class
* @author ppp
* @date 2023/1/5
*/
public class JasyptUtil {
private static final Logger logger = ();
/**
* Encryption keys need to be consistent with the configuration file
*/
private static final String PRIVATE_KEY = "demo";
/**
* The algorithm used to initialize BasicTextEncryptor object is "PBEWithMD5AndDES"
* Click to enter the source code construction method to see the settings below
* ("PBEWithMD5AndDES");
*/
private static BasicTextEncryptor basicTextEncryptor = new BasicTextEncryptor();
static {
(PRIVATE_KEY);
}
/**
* plain text encryption
*
* @param plaintext
* @return String
*/
public static String encrypt(String plaintext) {
("The plain text string is:{}", plaintext);
String ciphertext = (plaintext);
("The ciphertext string is:{}", ciphertext);
return ciphertext;
}
/**
* Decryption
*
* @param ciphertext
* @return String
*/
public static String decrypt(String ciphertext) {
("The ciphertext string is:{}", ciphertext);
ciphertext = "ENC(" + ciphertext + ")";
if ((ciphertext)) {
String plaintext = (ciphertext, basicTextEncryptor);
("The plain text string is:{}", plaintext);
return plaintext;
}
("Decryption failed!");
return "";
}
public static void main(String[] args) {
String encrypt = encrypt("123456");
String test = decrypt(encrypt);
}
}
3. Add configuration file
Add configuration in
jasypt:
encryptor:
# Specify the encryption key. Please put it in the startup parameters in the production environment -= Encryption key password: demo
# Specify the decryption algorithm, which needs to be consistent with the algorithm used during encryption algorithm: PBEWithMD5AndDES
# Specify initialization vector type iv-generator-classname:
4. Replace account password
Change all the passwords of the account that need to be encrypted withENC (ciphertext)Just format
After enabling the project, it will detect the ENC-style data in the configuration file and decrypt the ciphertext for use by the framework.
Summarize
The above is personal experience. I hope you can give you a reference and I hope you can support me more.