In this tutorial, you will learn how to encrypt and decrypt a property value that is being served by Spring Cloud Config Server. The Config Server can use a symmetric (shared) key or an asymmetric one (RSA key pair). In this tutorial, we will use the symmetric key.
For Asymmetric Encryption, read this tutorial: Spring Cloud Config – Asymmetric Encryption and Decryption.
To learn more about Spring Cloud, please look at my other Spring Cloud tutorials.
For a step-by-step series of video lessons, please check this page: Spring Boot Microservices and Spring Cloud.
Add the Java Cryptography Extension
If you use Java 8, then for the Spring Cloud to be able to encrypt and decrypt properties, you will need to add the full-strength JCE to your JVM (it is not included by default). You can download the “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files” from Oracle and follow the installation instructions. Make sure you download JCE for your Java platform.
The installation process is very simple. Basically, you will need to copy the two downloaded jar files to a /lib/security folder in your JDK.
<java-home>/lib/security [Unix]
<java-home>\lib\security [Windows]
Note: Once you copy the JCE libraries, you will need to kill the running Java process and start it again. If that does not help, restart your computer.
Video demonstration
Add the Encryption Key to a Config Server
For Spring Cloud Config to be able to encrypt and decrypt properties, you will need to provide an encryption key. The value of the encryption key is up to you to generate, but the more secure it is, the better. Use an alpha-numeric string of characters containing upper and lower case characters.
Note: The encryption key should be added to a bootstrap.properties file.
For example:
encrypt.key=fje83Ki8403Iod87dne7Yjsl3THueh48jfuO9j4U2hf64Lo
Encrypt Property
Once you have added the encryption key to a bootstrap.properties file of your Spring Cloud Config server, run the server. To encrypt a property, send an HTTP POST request to a /encrypt URL endpoint. Below is an example of a CURL command to encrypt a property value “mypassword”:
curl -X POST http://localhost:8012/encrypt -d mypassword
where:
- 8012 – is the port number on which my Spring Cloud Config server is running. In your case, this port number might be different.
- mypassword – is a string we want to encrypt.
The response, in my case, is an encrypted value:
c6462015030a9a5e2cd286ef2cc5935534f5004090443529c9752805a1187bcf
Use Encrypted Value
The Spring Cloud Config can be used with Git or a Native file system as a backend. When adding an encrypted value to a property file that is being served by a Spring Cloud Config server use a {cipher} prefix. For example:
mypassword = {cipher}c6462015030a9a5e2cd286ef2cc5935534f5004090443529c9752805a1187bcf
This way, you can keep sensitive information like passwords encrypted in a Git repository. When the Spring Cloud config server pulls encrypted values from a Git repository or a native file system backend, it will decrypt encrypted values and serve already decrypted values to your Microservices. You do not need to decrypt properties manually yourself.
Note: If Spring Cloud Config cannot decrypt, then it will add the invalid prefix to a property name and use n/a as a property value. For example, let’s assume we used an incorrect encryption key, and Spring Cloud Config could not decrypt the value of a mypassword property. In this case, you will see the following in a property source returned to a Microservice:
"invalid.mypassword": "<n/a>"
Decrypting Property Yourself
For different reasons, you might need to decrypt an encrypted value. To decrypt an encrypted value, send an HTTP POST request to a /decrypt URL endpoint. For example:
curl -X POST http://localhost:8012/decrypt -d c6462015030a9a5e2cd286ef2cc5935534f5004090443529c9752805a1187bcf
where:
- 8012 is the port number of which my Spring Cloud Config server is running. In your case, this port number might be different,
- c6462015030a9a5e2cd286ef2cc5935534f5004090443529c9752805a1187bcf is an encrypted value which we want to decrypt.
Video tutorial
I hope this tutorial was helpful to you.
If you are interested in learning more about Spring Cloud and how to build RESTful Microservices, check out the following list of online video courses.