In order to enable encryption and decryption of config property files, you need to install the unlimited strength Java Cryptography Extension (JCE) in your config server environment. This doesn’t come with the JVM by default. The one that comes with the JVM is of limited strength.
local_policy.jar
README.txt
US_export_policy.jar
You need to copy the local_policy.jar and US_export_policy.jar into $JAVA_HOME/jre/lib/security directory.
LET’S ENCRYPT!
Now that we have a config server that’s able to encrypt and decrypt data, let’s start by encrypting a property value. The config server exposes a couple of handy endpoints. There’s the /encrypt endpoint to encrypt data, and the /decrypt endpoint to decrypt data.
curl localhost:8888/encrypt -d 'Hello Spring Boot!'
The result of this command will be the ‘Hello Spring Boot!’ string as an encrypted string that we can add to the git repository backing the config server. Here’s the application.yml file served by my config server, but now updated with the encrypted message.
message: '{cipher}AQCLJG5FvxQrLAC6Q9iDmkegrIh1yJ4K2BeRzNdu3PkMZXv1cMSJ/C3flllHITinxgKecX3I8MPIf6sSsSIaZCV9YW/MzQ6VYVQ8Mt4GIxbPfFRFpvOhBmsCDomZ5lQ5eWoDmS1yHpIMeES37YVLW/uM8LJTNRg16ywFy/pdxbhzQt5g0KEe8N8FIDk32lrvo5qB3e0hYv3gOfUAEYzt9ZjyQmXJqpAgWB+85Su7gIyxW7f5Q20hNoA5RgG87ofrmFD2M0LgcjQMbeEKIUqYAZjOYKAJG/xUwU9WEkTgw8nKgSmkkPxMPorSIBwwgXlYDGlLU3DM+lT91Nky8ydH3CTuKSN1j7OhfRRLWPcYLNFC+BLqT/4tjcCrVP2tvCepN/yZ9pN8eA6L1zQqoHPzpBkj'
Notice the {cipher} prefix. This is a hint to the config server that this property needs to be decrypted before sending it to a client application.
No comments:
Post a Comment