We take security very seriously and have taken steps to harden our services so if some one has ssh access to the box he wont be able to read the files but the webapp has to be able to read the spring config which has passwords to database so we need to protect it from any file download vulnerability.
So the plan was to encrypt passwords stored in spring files and decrypt it at runtime. As we had to decrypt the passwords back this has to be a symmetric encryption but with salt. After doing some research I found jasypt library that would be able to do this. The steps I followed were:
1) move all passwords to a separate file called as XXX_passwords.properties
2)changed spring xml to use property placeholders like ${mysql.user.password}.
3) added spring beans to load the password and decrypt them using the ENV variable ENCRYPTION_PASSWORD and added two jars to class path jasypt-1.9.1.jar and jasypt-spring31-1.9.1.jar
<bean id="encryptablePropertyPlaceholderConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">
<constructor-arg ref="configurationEncryptor" />
<property name="location" value="classpath:xxx_passwords.properties" />
</bean>
<bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
<property name="config" ref="environmentVariablesConfiguration" />
</bean>
<bean id="environmentVariablesConfiguration"
class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
<property name="algorithm" value="PBEWithMD5AndDES" />
<property name="passwordEnvName" value="ENCRYPTION_PASSWORD" />
</bean>
4)Wrote a sample property file encoder that will take a normal file and encode the passwords.
public class PPFileEncoder {
public static void main(String[] args) throws Exception {
String filePath = args[0];
File file = new File(filePath);
if (!file.exists()) {
System.out.println("File " + filePath + " doesnt exits");
}
Properties inputProps = new Properties();
FileReader reader = new FileReader(filePath);
inputProps.load(reader);
reader.close();
EnvironmentStringPBEConfig config = new EnvironmentStringPBEConfig();
config.setAlgorithm("PBEWithMD5AndDES");
config.setPasswordEnvName("ENCRYPTION_PASSWORD");
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
encryptor.setConfig(config);
Properties outputProps = new Properties();
for (Entry
5)Changed install process to encrypt passwords as the last step of install and overwrite the original property file.
6)Now ops will unset the env variable once app is up.
with jasypt if your original file was
mysql.user.password=KalpeshPatel
it would become
mysql.user.password=ENC(B4UEFvcfdIJqavADLRTZqw\=\=)
Good thing about this solution is that devops can choose a completely random value for ENCRYPTION_PASSWORD variable everytime they install the installer and different value for different machines.
So the plan was to encrypt passwords stored in spring files and decrypt it at runtime. As we had to decrypt the passwords back this has to be a symmetric encryption but with salt. After doing some research I found jasypt library that would be able to do this. The steps I followed were:
1) move all passwords to a separate file called as XXX_passwords.properties
2)changed spring xml to use property placeholders like ${mysql.user.password}.
3) added spring beans to load the password and decrypt them using the ENV variable ENCRYPTION_PASSWORD and added two jars to class path jasypt-1.9.1.jar and jasypt-spring31-1.9.1.jar
<bean id="encryptablePropertyPlaceholderConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">
<constructor-arg ref="configurationEncryptor" />
<property name="location" value="classpath:xxx_passwords.properties" />
</bean>
<bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
<property name="config" ref="environmentVariablesConfiguration" />
</bean>
<bean id="environmentVariablesConfiguration"
class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
<property name="algorithm" value="PBEWithMD5AndDES" />
<property name="passwordEnvName" value="ENCRYPTION_PASSWORD" />
</bean>
4)Wrote a sample property file encoder that will take a normal file and encode the passwords.
public class PPFileEncoder {
public static void main(String[] args) throws Exception {
String filePath = args[0];
File file = new File(filePath);
if (!file.exists()) {
System.out.println("File " + filePath + " doesnt exits");
}
Properties inputProps = new Properties();
FileReader reader = new FileReader(filePath);
inputProps.load(reader);
reader.close();
EnvironmentStringPBEConfig config = new EnvironmentStringPBEConfig();
config.setAlgorithm("PBEWithMD5AndDES");
config.setPasswordEnvName("ENCRYPTION_PASSWORD");
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
encryptor.setConfig(config);
Properties outputProps = new Properties();
for (Entry
5)Changed install process to encrypt passwords as the last step of install and overwrite the original property file.
6)Now ops will unset the env variable once app is up.
with jasypt if your original file was
mysql.user.password=KalpeshPatel
it would become
mysql.user.password=ENC(B4UEFvcfdIJqavADLRTZqw\=\=)
Good thing about this solution is that devops can choose a completely random value for ENCRYPTION_PASSWORD variable everytime they install the installer and different value for different machines.
Good one, Thanks Kalpesh
ReplyDelete