How-to encrypt sensitive values for JHipster application property files

hipsterJust yesterday someone in Gitter’s generator-jhipster chat room asked if anyone had a solution for encrypting passwords or other sensitive information in the application property files. Well, I didn’t have a solution but but I sure had the same need. I’d been thinking about this now for about 3 days. I’m embarrassed to admit that I’ve committed these application property files before, complete with usernames and passwords, many times, and in public repositories. When you do this, you should immediately head for your database and change the password because that commit just compromised the security of your database. Create a new password and don’t question my logic.

I already had an AES encryption utility class and a general crypto utility. I added them to my JHipster application with little to no modification. I also created a simple Java file to encrypt the property values requiring security using a simple main() method in my IDE during development. Initially I encrypted the property values into a byte array format and rendered the array as a String. These strings contained characters beyond A-Z and numbers 0-9. They looked like special ASCII characters e.g. hearts, spades, arrows, etc. And, they could not be read by Spring’s property handlers. I added an extra step to the encryption. I converted the byte arrays into hex string representations.

Here’s an example of application-dev.yml with encrypted hex strings for the database connection.

Decrypting the datasource credentials was fairly simple because they are currently used at application startup in a Java module called DatabaseConfiguration.java in my com.ciwise.accounting.config package. Spring needs any configuration sourcing to be done in a package directory like org.myorg.applicationame.config. Here’s a portion of my database configuration marked with my changes:

Since I’ve also configured the email feature of JHipster with a Google service email account, I needed to encrypt those credentials as well. Email for JHipster is done with an asynchronous thread using a service class called MailService.java. The Spring properties in application configuration property file is never called for in JHipster code. These properties are sourced auto-magically by a Spring implementation of org.springframework.mail.javamail.JavaMailSender. The JHipster developer adds the org.springframework.mail.javamail.JavaMailSenderImpl to MailService.java and uses an @Inject annotation to instance this class that gets your email credentials at runtime.

I moved the username and password properties from the “spring” area of the application configuration. This meant that the JavaMailSenderImpl class would be instanced at startup but without values for the username and password. I then added these properties beneath the “jhipster” area and also modified JHipsterProperties.java to source these properties in the custom static Mail class (already containing a “from” property). Since I want to represent all credentials as encrypted hex strings, I needed a place to intercept their use and do the decryption securely within the safety of Java’s security. My source changes to JHipsterProperties are shown here:

Now that the properties have been moved into a JHipster Java class, I can decrypt them and set the username and password in the JavaMailSenderImpl class, after startup, but just prior to sending email in the MailService class. Here are my changes to MailService.java

Since my current project is private I can’t share everything but I’ll share the three encryption utilities by link to BitBucket snippets. Also, I’m changing the javax.crypto.spec.SecretKeySpec salt. It’s a byte array and you should create your own and be sure it’s 16 bytes.

https://bitbucket.org/snippets/david_whitehurst/ge7rp

https://bitbucket.org/snippets/david_whitehurst/oe7re

I keep this file in my project, however the main() method has to be commented for Spring Boot to run. You could set this us as a command-line utility outside your JHipster project and just use it to create encrypted hex strings for all your property files.

https://bitbucket.org/snippets/david_whitehurst/Gezoj

That’s about it. I will probably ask the JHipster team if they would like to add the two crypto utilities to the Yeoman generator. I like it because I don’t have to be so concerned about checking in my application property files with sensitive information in them.

P.S. My JHipster version is 3.5.1 (generator-jhipster). I am using Java 8 and I added my crypto classes to groupId (com.ciwise.application) dot(.) util. This implementation should work with any JHipster version using Java and Spring Boot.

Cheers,

David L. Whitehurst

Leave a Reply

Wow, 4,457 people read this.