Spring

 Question regarding encryption for config server values

Vijay Yadav's profile image
Vijay Yadav posted Apr 20, 2020 06:11 PM

Question: I have one config server that I have spring.username and spring.password and I need to pass the password in encrypted format. 

so here is the format that I am passing

spring.username: abc

spring.password:{cipher}abcd1234

encrypt.key=qwerty13ry56

 

By referring the different documents I found that we can use the encrypt.key

https://www.devglan.com/spring-cloud/encrypt-decrypt-cloud-config-properties

http://www.appsdeveloperblog.com/spring-cloud-config-symmetric-encryption-and-decryption/

 

But the key is not being passed to config server.

 

Could you please help me how we can pass the encrypt.key through config server instead of bootstrap.yml and application.properties.

Daniel Mikusa's profile image
Daniel Mikusa posted Apr 22, 2020 09:17 AM

1.) Are you using Open Source Config Server or are you using Pivotal Spring Cloud Service Config Server?

 

2.) Where are you storing your config? Git? Vault? etc..

 

3.) Are `spring.username` and `spring.password` coming from the location you've set in question 2?

 

>Could you please help me how we can pass the encrypt.key through config server instead of bootstrap.yml and application.properties.

 

I don't think this is possible. Off the top of my head, it sounds like you're going to end up with a bootstrapping (i.e. chicken vs egg) problem. Config server is going to need the decryption key to decrypt stuff, but if you're putting it in config server so it can't get to it until it can decrypt the values but it needs key to do this.

Vijay Yadav's profile image
Vijay Yadav posted May 29, 2020 06:45 AM

Hi Team,

 

adding to the same context I have one similar issue.

 

I ahve my database configuration in PCF config server that I have hosted on gitlab and I am passing the values in below format:

 

spring.datasorce.username=abcxyz

spring.datasorce.password={cipher}abv457ndfefewdwo

 

However I am passing the encrypt key separately

1.) adding in PCF environment variable like ENCRYPT_KEY: abc@12345

2.) I tried adding in .profile when comtainer starts it should initialize . Here is the format I am using

export encrypt.key=abc@12345

 

In both the cases it is not encrypting the values and say unable to connect to the database.

 

Please suggest the best and possible way to make it working

 

Daniel Mikusa's profile image
Daniel Mikusa posted May 29, 2020 02:43 PM

Not sure I understand what you are trying to do, but you can put encrypted properties into the files that you check into Git.

 

Ex: https://github.com/spring-cloud-services-samples/cook-config/blob/master/cook-encryption.properties

 

The format is `key={cipher}encrypted_value` (Properties file) or `key: {cipher}encrypted_value` (YAML)

 

Config server then needs to be configured with the encryption key to decrypt the value.

 

https://docs.pivotal.io/spring-cloud-services/3-1/common/config-server/configuring-with-git.html#encryption-and-encrypted-values

 

Config server will then automatically decrypt and provide properties to applications that connect and request them.

 

To encrypt the value, you need to send a request to Config server as is described in the doc link above. The return value of that call would be `encrypted_value` in the example above.

 

Hope that helps!

Daniel Mikusa's profile image
Daniel Mikusa posted May 29, 2020 02:44 PM

For what it's worth, you do not pass the encryption key to your applications. The encryption key is only known by the config server. You then talk to the config server to get an encrypted value and client apps talk to config server to get properties, they receive the decrypted values from config server.