Preface
In the context of the digital age, the Internet has penetrated all aspects of life, and has also brought about increasingly severe security challenges. A well-known corporate engineer once suffered heavy losses for uploading the company's core code to an open source platform and was subject to legal sanctions. This incident exposed the weak links in the protection of code and configuration information in enterprises.
The core enterprise system usually stores sensitive data such as database connection information, third-party interface keys, etc. in the configuration file. If it exists in plain text, once it is leaked, it is very easy to be maliciously exploited, causing serious economic and credibility losses. Especially small and medium-sized enterprises, there are often omissions in safety and compliance, and the risk of exposure of sensitive information is greater.
Therefore, the adoption of effective sensitive information encryption is not only a necessary measure to protect intellectual property rights and business security, but also complies with industry security specifications and compliance requirements, which can effectively reduce the security risks caused by information leakage.
What types of sensitive information must be encrypted
- Database username and password
- Authentication information for cache, message queue and other services
- Access Key and Secret Key for third-party services
- Other credential information involving secure communication between systems
If the above information exists in plain text in the configuration file, it is likely to become the target of attack, so encryption must be used to protect it.
The core value of sensitive information encryption
- Prevent leakage risk from amplification: Even if the code or configuration file is leaked, the ciphertext cannot be directly identified, reducing the risk of information being directly utilized.
- Comply with safety compliance mechanism requirements: Many security review processes require sensitive information not to be exposed in plain text, and encryption processing is the prerequisite for review and approval.
- Improve developers' safety awareness: Guide the entire team to remain highly vigilant about safety issues and reduce safety hazards caused by human errors.
Reason for choosing Jasypt as encryption solution
Jasypt (Java Simplified Encryption) is a simple and powerful Java encryption library. Its design purpose is:
- Developers can easily implement data encryption and decryption without exploring cryptography details
- Spring Boot integration support that comes out of the box
- Supports multiple encryption algorithms and configuration options
- Simplify the encryption and decryption process of sensitive configurations in configuration files
Jasypt official website project address:/
Spring Boot integrates Jasypt with multiple ways
General Integration (based on automatic configuration)
For most Spring Boot projects, you can directly introduce themjasypt-spring-boot-starterDependence, no additional configuration is required, and the environment is automatically integrated. Supports automatic decryption of ciphertexts with specific pre- and post-suffixes in configuration files.
<dependency> <groupId></groupId> <artifactId>jasypt-spring-boot-starter</artifactId> <version>3.0.4</version> </dependency>
Enable encryption properties without automatic configuration
If the project is not used@SpringBootApplicationor@EnableAutoConfiguration,need:
- Introduced
jasypt-spring-bootDependency (non-starter) - Add annotations in the configuration class
@EnableEncryptableProperties
@Configuration
@EnableEncryptableProperties
public class JasyptConfig {
// Other configurations}
Enable encryption support for specified configuration files
Without the need to enable encryption properties throughout the Spring environment, you can specify which configuration files apply to support encryption and decryption:
@Configuration
@EncryptablePropertySource("classpath:")
public class JasyptConfig {
}
For multi-configuration file support:
@Configuration
@EncryptablePropertySources({
@EncryptablePropertySource("classpath:"),
@EncryptablePropertySource("classpath:")
})
public class JasyptConfig {
}
Jasypt version 1.8 also supports YAML configuration files later.
Practical exercise: Sample Jasypt integration in Spring Boot project
Introduce dependencies
Use automatic configuration method, add:
<dependency> <groupId></groupId> <artifactId>jasypt-spring-boot-starter</artifactId> <version>3.0.4</version> </dependency>
Configure Jasypt encryption parameters
existAdd the following configuration information:
jasypt:
encryptor:
algorithm: PBEWithMD5AndDES
iv-generator-classname:
property:
prefix: IT(
suffix: )
The encryption algorithm is specified here as classicPBEWithMD5AndDES, and define the pre-suffix of encrypted data, so that Jasypt automatically recognizes which configurations need to be decrypted.
Replace sensitive information encryption into configuration file
For example, replace the database account password with a ciphertext format:
spring:
datasource:
url: jdbc:mysql://localhost:3306/user2?useUnicode=true&characterEncoding=utf-8&useSSL=true&serverTimezone=Asia/Shanghai
username: IT(MIJueAfnYWsKa2kiR8Qrrw==)
password: IT(qH9m5vjj8RYULOASKdhlOw==)
Note: Encrypted content must be prefixed with the configuredIT(Start, suffix)Finish.
Various solutions to generate ciphertexts
Solution 1: Encryption using code
Sample code:
public class JasyptEncryptUtils {
private static final String ALGORITHM = "PBEWithMD5AndDES";
private static final String PASSWORD = "PEB123@321BEP";
public static String encrypt(String plaintext) {
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
EnvironmentStringPBEConfig config = new EnvironmentStringPBEConfig();
(ALGORITHM);
(PASSWORD);
(config);
return (plaintext);
}
public static String decrypt(String ciphertext) {
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
EnvironmentStringPBEConfig config = new EnvironmentStringPBEConfig();
(ALGORITHM);
(PASSWORD);
(config);
return (ciphertext);
}
public static void main(String[] args) {
(encrypt("root"));
(encrypt("123456"));
}
}
Solution 2: Encryption using command line tools
existjasypt-1.9.Execute under the package path:
Encryption command:
java -cp jasypt-1.9. input='root' password=PEB123@321BEP algorithm=PBEWithMD5AndDES
Decryption command:
java -cp jasypt-1.9. input='Crypto text content' password=PEB123@321BEP algorithm=PBEWithMD5AndDES
Solution 3: Encryption through Maven plug-in
Add plugins to pom:
<plugin> <groupId></groupId> <artifactId>jasypt-maven-plugin</artifactId> <version>3.0.4</version> </plugin>
Execute encryption:
mvn jasypt:encrypt-value -="PEB123@321BEP" -="Content that needs to be encrypted"
Start parameter setting key to ensure security
The key should not be hardcoded or saved in a configuration file and should be passed in the following ways:
- As Java startup parameters:
java -jar --=PEB123@321BEP
- Or as a JVM parameter:
java -=PEB123@321BEP -jar
Avoiding secret key exposure is the key to truly ensuring system security.
Frequently Asked Questions and Solutions
Startup error caused by algorithm compatibility
The default encryption algorithm of Jasypt version isPBEWITHHMACSHA512ANDAES_256, This algorithm requires JDK 9+ or JCE unlimited policy file support, and lower versions of JDK or not installed will cause binding parameters to fail.
Solution:
- Reduce the algorithm version and switch to
PBEWithMD5AndDES - Specify No IV generator:
jasypt:
encryptor:
algorithm: PBEWithMD5AndDES
iv-generator-classname:
- Or downgrade the Jasypt version to
How to ensure the security of the key
- Never store the key in plaintext in code or configuration
- Load the key through external parameter transmission
- If there are higher security requirements, you can customize the encryptor logic or combine it with the hardware security module (HSM)
Multiple means to prevent sensitive information from being uploaded by Git
- Standardize code submission process and permission control, reduce the risk of leakage due to misoperation
- use
.gitignoreFiles ignore sensitive configuration files to avoid being tracked and submitted - Use sensitive information detection tools (e.g.
git-secrets) Scan the submissions to prevent sensitive data submissions - Strict Code Review process, teams supervise each other to discover potential risks
These means combined with encryption technology to form multiple lines of defense for information security.
Thinking about technology and law: the issue of code ownership
The recent incident of Nginx founder questioning code ownership by his former boss has inspired extensive discussions on the ownership of programmers' labor results:
- Usually development during employment belongs to company assets
- However, a balance and consensus need to be reached between the spirit of open source and personal contributions
- Contracts, corporate systems, laws and regulations must clearly define rights and responsibilities
This complex issue is worthy of in-depth thinking by the team and enterprises, and we must respect intellectual property rights and protect the rights and interests of developers.
Conclusion
Security is not only the encryption of a piece of code, but also the reflection of the responsibility of technicians. Jasypt provides Spring Boot projects with a simple and easy-to-use sensitive information encryption solution, which can greatly improve the system security level with complete key management and process control. As a developer, you should always include security in your daily development habits, build a solid business moat, and prevent the risk of data leakage.
The above is the detailed content of SpringBoot integrating Jasypt to implement sensitive information encryption and protection function. For more information about SpringBoot Jasypt sensitive information encryption, please pay attention to my other related articles!