Spring Cloud Config – Encrypt / Decrypt Configuration Properties

In the previous articles, we learned how to set up a spring cloud configuration server using the git repository and the file system to store the configuration property files.

In this article, we will learn how to encrypt/ decrypt the configuration properties in the spring cloud configuration server.

By default, the spring cloud configuration server stores all property values as plain text. Storing sensitive data in the form of plain text may not be a good idea.

Spring cloud configuration server supports both symmetric and asymmetric ways of encryption of configuration property values.

We will also learn how to use a symmetric key(shared key) to encrypt our configuration properties.

Download and install Oracle JCE jars

Download the suitable version of oracle’s JCE jars from here.

In our case, we are using java 8 in our local windows machine, so we have downloaded a suitable version of the zip file.

JCE oracle donload

Once the zip file download is complete, unzip the file.

Open the currently installed java’s jre/lib/security folder. In our case, it is in the C:/Program Files/Java/jdk1.8.0_73/jre/lib/security directory of the windows system.

Also, take a backup of local_policy.jar and US_export_policy.jar files. Replace these two files with the downloaded ones, which were unzipped earlier.

Enable encryption on config server

Check out the previous article to learn how to set up a spring cloud configuration server.

create a bootstrap.properties file under src/main/resources folder of the configuration server application.

Add the property encrypt.key and set a symmetric key value. This is the shared key is used to encrypt or decrypt the configuration properties by the spring cloud configuration server.

encrypt.key=myencryptkey

Encrypting and decrypting the properties

Once the configuration server is up, it exposes two HTTP POST endpoints: /encrypt and decrypt/.

We can also use encrypt/ endpoint to encrypt properties and store them in our configuration properties file.

Open postman and hit the encrypt endpoint with the value to be encrypted as shown below.

spring cloud config

Store the encrypted value in the configuration property as shown below. Notice the {cipher} prefix and value are stored within “”.

my:
  prop: my test property
  encrypted-prop: "{cipher}010efcfa6df24c966e975213b5d2c0dc74a3bd485cbecc04dee915cbbf7b7d55"

By default, the spring cloud config server decrypts the encrypted values while retrieving.

Finally, start the configuration server and try to access the configuration property. We will get the decrypted value as shown below.

decrypted value spring cloud config

Disable decryption of property on config server

We can disable decryption of the encrypted property values before serving by setting the following property on the bootstrap.properties file.

spring.cloud.config.server.encrypt.enabled=false

Access the cloud configuration server now. We should be able to see encrypted property value.

encrypted configuration property

Setting up config client service to get the encrypted value

In our previous article, we created a simple-service to read the configuration properties from the configuration server.

Let us modify it to enable decrypt ability for encrypted properties.

Also, make sure that decryption of property is disabled on configuration server first, which was explained in the above section. 🙂

Add required dependency

To enable decryption capability on client side, we have to add spring-security-rsa dependency into the application’s pom.xml file.

This jar contains the required java code to decrypt the encrypted configuration property values.

<dependency>
	<groupId>org.springframework.security</groupId>
	<artifactId>spring-security-rsa</artifactId>
</dependency>

Add the symmetric key to the configuration property

Open the bootstrap.properties file and add the symmetric key used before for encryption of our property in the configuration server.

encrypt.key=myencryptkey

Update the client service to read the configuration

Add the following code to the spring boot application class. Note that in the previous article we learned a few of the code parts (@RefreshScope, etc).

Here, we have added one more string variable to read the encrypted property my.encrypted-prop from the configuration server.

@SpringBootApplication
@RestController
@RefreshScope
public class SimpleServiceApplication {

	@Value(value = "${my.prop}")
	private String myProp;
	
	@Value(value = "${my.encrypted-prop}")
	private String decryptedProp;
	
	@GetMapping("/")
	public String getMyProp() {
		return "Prop value: " + myProp + " Decrypted Prop: " + decryptedProp;
	}
	
	public static void main(String[] args) {
		SpringApplication.run(SimpleServiceApplication.class, args);
	}
}

It’s all ready now!! Run the client service. 🙂 🙂

Make sure that the configuration server is also up and running!! 😛

If we access our application, we should be able to see the decrypted message as shown below.

encrypt-decrypt-prop-value

Finally, we have successfully encrypted the configuration property at the configuration server and decrypted it back on configuration client service, using a symmetric key.

Note: This is the continuation of the previous article, please read this and this article to learn how to set up a configuration server using a file system and git repository.

Conclusion

In this article, we learned how to use a symmetric key to encrypt and decrypt property values on a spring cloud config server.

The sample code is available on Github.