How to encrypt passwords in a spring boot project

Encrypting property sources in spring boot application using Karmahostage

In our previous blogpost, we looked at a way to externalize secrets in spring boot applications. In this blog post, we'll continue exploring features of Karmahostage and deep dive on another way to inject encrypted properties into your spring boot applications.

Karmahostage

Karmahostage is a saas solution which allows you to perform various cryptographic algorithms on data, manage cryptographic keys and store secrets. Their vault solution is perfect for storing application secrets and is a valid alternative for a Kubernetes Secret or ConfigMap.They also provide various libraries to interact with secrets, perform cryptographic algorithms and manage keys.

Prerequisites

  • 15 minutes of your time
  • A favorite text editor or IDE
  • JDK 1.8 or later
  • Gradle 4+ or Maven 3.2+

Creating a new application on Karmahostage

Visit Karmahostage and register if you haven't already done so. Go through the process and create a new cryptographic key for your freshly generated application.

Creating a cryptographic key

Also find the API key settings for your application and reveal the API key. You'll need this to authenticate towards the Karmahostage APIs.

Adding the dependencies

<repositories>
    <repository>
        <id>github</id>
        <name>GitHub Karmahostage API Apache Maven Packages</name>
        <url>https://maven.pkg.github.com/Karmahostage/maven-repo</url>
    </repository>
</repositories>

Secondly, import the maven bom for the Karmahostage dependencies.

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>com.karmahostage.cloud</groupId>
            <artifactId>spring-cloud-karmahostage-dependencies</artifactId>
            <version>0.0.6</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
    </dependencies>
</dependencyManagement>

Lastly you'll need to add a dependency to spring-cloud-starter-karmahostage. This will add the spring-cloud-starter-karmahostage-secrets dependency and activate it.

<dependency>
    <groupId>com.karmahostage.cloud</groupId>
    <artifactId>spring-cloud-starter-karmahostage</artifactId>
</dependency>

Configuring the environment

Spring Cloud Karmahostage will only work if you add an API key. An API key is linked to an application in KH.

bootstrap.properties

spring.cloud.karmahostage.apiKey=$PUT_KEY_HERE

Note: Inject this key using Environment Variables

Encrypt a secret using your key

The first thing you'll need to do is encrypt the data you want to inject in your application. Head over to karmahostage, find your key and go to the Encryption page
Screenshot-20200805120152-429x405

On the Encryption Page, encrypt the data you want to inject.

Injecting the encrypted value in your application

Put the result of this value in your application.properties

application.secret=vault:v1:lRLLIR2WxmOZzzqNC+BY+WuukGZaxt1pPsp9UKduTc7z/jKj7bN6YZZMI2pESA==

You can now simply use @EncryptedValue on any field to automatically inject and decrypt the value.

The most simple example of such an application would be:

@SpringBootApplication
public class ExampleEncryptedPropertiesApplication {

    @EncryptedValue("${application.secret}")
    private String application;

    @PostConstruct
    public void init() {
        System.out.println("Your application secret: " + application);
    }

    public static void main(String[] args) {
        SpringApplication.run(ExampleEncryptedPropertiesApplication.class);
    }
}

Conclusion

You have just successfully encrypted data, injected encrypted values and automatically decrypted the data at runtime in mere minutes.

Try it out and tell us how your experience was!

Example

An updated example can be found at the spring-cloud-karmahostage repository.