Configuration Encryption - wuyichen24/spring-microservices-in-action GitHub Wiki

Overview

For encrypting and decrypting the sensitive parameters, you need to do several things:

• Change server-side
  • Install Oracle JCE jars
  • Set up an encryption key
  • Get the encrypted value of the sensitive parameter
  • Update the sensitive parameter in the configuration file
  • Hide the sensitive parameter from the endpoint of the config server
• Change client-side
  • Set up an encryption key

---

Change server-side

Install Oracle JCE jars

First you need to install Oracle JCE (Java Cryptography Extension) to your JRE.

# go to your tmp directory
cd /tmp/

# download and unzip JCE zip file
curl -k -LO "http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip" -H 'Cookie: oraclelicense=accept-securebackup-cookie' && unzip jce_policy-8.zip

# delete the original zip file
rm jce_policy-8.zip

# go to Java JRE lib directory
cd "$(/usr/libexec/java_home)/jre/lib/"

# back up the original security directory
sudo tar czf security_backup.tar.gz security

# copy 2 jar files from the JCE directory to the security directory
sudo cp -v /tmp/UnlimitedJCEPolicyJDK8/*.jar "$(/usr/libexec/java_home)/jre/lib/security"

---

Set up an encryption key

This step, you need to set up a symmetric encryption key as an environment variable.

• If you run the config server in command-line, use need to use this command:

export ENCRYPT_KEY=IMSYMMETRIC

• If you run the config server in Eclipse, you need to add this environment variable into the run configuration of the application start class of the config server.

---

Get the encrypted value of the sensitive parameter

This step, we will make a HTTP request (method must be POST) to the config server to get the encrypted value of the sensitive information. In this example, we will use spring.datasource.password as the sensitive parameter.

Request

METHOD: POST
URL:    http://localhost:8888/encrypt
BODY:   6ytow2-;S3lA

Response

8e2e38b0e293fb4c0a8def88b828a8b2a6d1f5984ebbdedc0a6dd54ff355dd86

This long hex string is the encrypted value of the password.

---

Update the sensitive parameter in the configuration file (or GitHub repository)

This step, you need to replace the original value of the spring.datasource.password parameter by the encrypted value in the licenssingservice.yml file.

spring.datasource.password: "{cipher}8e2e38b0e293fb4c0a8def88b828a8b2a6d1f5984ebbdedc0a6dd54ff355dd86"

The {cipher} value tells Spring Cloud configuration server to deal this value as an encrypted value.

---

Hide the sensitive parameter from the endpoint of the config server

Before this step, if you ping the endpoint of the config server, it will still return the original value of the password. You need to change the bootstrap.yml file to disable the server-side decryption of the sensitive parameter.

spring:
  cloud:
    config:
      server:
        encrypt.enabled: false

Notice that encrypt.enabled should be together and in the same line.

---

Change client-side

Set up an encryption key

In the client-side, you need to add the same encryption key for decrypting the encrypted value.

• If you run the licensing service in command-line, use need to use this command:

export ENCRYPT_KEY=IMSYMMETRIC

• If you run the licensing service in Eclipse, you need to add this environment variable into the run configuration of the application start class of the licensing service.