Spring Cloud Config – Symmetric Encryption and Decryption

In this tutorial you will learn how to encrypt and decrypt a property value which is being served by Spring Cloud Config Server. The Config Server can use a symmetric (shared) key or an asymmetric one (RSA key pair). In this tutorial we will use symmetric key.

For Asymmetric Encryption read this tutorial: Spring Cloud Config – Asymmetric Encryption and Decryption.

To learn more about Spring Cloud please have a look at my other Spring Cloud tutorials.

For a step by step series of video lessons, please check this page: Spring Boot Microservices and Spring Cloud.

Add the Java Cryptography Extension

For Spring Cloud to be able to encrypt and decrypt properties you will need to add the full-strength JCE to your JVM (it is not included by default). You can download the “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files” from Oracle and follow the installation instructions. Make sure you download JCE for your Java platform.

The installation process is very simply. Basically you will need to copy the two downloaded jar files to a /lib/security folder in your JDK.

<java-home>/lib/security [Unix]
<java-home>\lib\security [Windows]

Note: Once you copy the JCE libraries you will need to kill the running Java process and start it again. If that does not help, restart your computer.

Video demonstration

Add the Encryption Key to a Config Server

For Spring Cloud Config to be able to encrypt and decrypt properties you will need to provide an encryption key. The value of encryption key is up to you to generate but the more secure it is the better. Use an alpha-numeric string of characters containing upper and lower case characters.

Note: The encryption key should be added to a bootstrap.properties file.

For example:

encrypt.key=fje83Ki8403Iod87dne7Yjsl3THueh48jfuO9j4U2hf64Lo

Encrypt Property

Once you have added the encryption key to a bootstrap.properties file of your Spring Cloud Config server, run the server. To encrypt a property send HTTP POST request to a /encrypt URL endpoint. Below is an example of CURL command to encrypt a property value “mypassword”:

curl -X POST http://localhost:8012/encrypt -d mypassword

where:

  • 8012 – is a port number of which my Spring Cloud Config server is running. In your case this port number might be different.
  • mypassword – is a string we want to encrypt.

The response in my case is an encrypted value:

c6462015030a9a5e2cd286ef2cc5935534f5004090443529c9752805a1187bcf

Use Encrypted Value

The Spring Cloud Config can be used with Git or Native file system as a backend. When adding an encrypted value to a property file which is being served by a Spring Cloud Config server use a {cipher} prefix. For example:

mypassword = {cipher}c6462015030a9a5e2cd286ef2cc5935534f5004090443529c9752805a1187bcf

This way you can keep sensitive information like passwords encrypted in a Git repository. When Spring Cloud config server pulls encrypted values from a Git repository or a native file system backend, it will decrypt encrypted values and will serve already decrypted values to your Microservices. You do not need to decrypt properties manually yourself.

Note: If Spring Cloud Config was not able to decrypt the it will add the invalid prefix to a property name and it will use n/a as a property value. For example, let’s assume we used an incorrect encryption key and Spring Cloud Config was not able to decrypt the value of a mypassword property. In this case you will see the following in a property source returned to a Microservice:

"invalid.mypassword": "<n/a>"

Decrypting Property Yourself

For different reasons you might need to decrypt an encrypted value. To decrypt an encrypted value send HTTP POST request to a /decrypt URL endpoint. For example:

curl -X POST http://localhost:8012/decrypt -d c6462015030a9a5e2cd286ef2cc5935534f5004090443529c9752805a1187bcf

where:

  • 8012 is a port number of which my Spring Cloud Config server is running. In your case this port number might be different,
  • c6462015030a9a5e2cd286ef2cc5935534f5004090443529c9752805a1187bcf is an encrypted value which we want to decrypt.

Video tutorial

I hope this tutorial was helpful for you.

If you are interested in learning more about Spring Cloud and how to building RESTful Microservices have a look at the following list of online video courses.


Leave a Reply

Your email address will not be published. Required fields are marked *