Spring Boot how to hide passwords in properties fileHow I can encrypt/decrypt Spring boot server propertiesHow to store application.properites values using manifest.yml to contain passwords?Hide passwords in application properties of Spring boot applicationapplication.properties spring boot value injectionCan i load username and password by file in spring boot + hibernate?JPA datasorce ignores username in properties fileHow to hide the password in the command “java -Djasypt.encryptor.password=somepassword -jar name.jar”Securing database in springbootSecuring a Spring boot api rest serviceSpring SMTP MailProperties - Do I have to store the password in plaintext?How can I inject a property value into a Spring Bean which was configured using annotations?How do I check if a file exists in Java?How to avoid Java code in JSP files?How to configure port for a Spring Boot applicationConfigure DataSource programmatically in Spring BootHow to log SQL statements in Spring Boot?Remove “Using default security password” on Spring BootProcess Spring Boot externalized property valuesWhat is the difference between putting a property on application.yml or bootstrap.yml in spring boot?How I can encrypt/decrypt Spring boot server properties
Can there be a unique planet visible each different month?
Male viewpoint in an erotic novel
What fraction of 2x2 USA call signs are vanity calls?
Are there mathematical concepts that exist in the fourth dimension, but not in the third dimension?
Is Sanskrit really the mother of all languages?
Where on Earth is it easiest to survive in the wilderness?
How to calculate the power level of a Commander deck?
Why there are construction cranes on apparently completed buildings in New York?
Infinitely many Primes
If I change my cassette, should I also change the chain?
What drugs were used in England during the High Middle Ages?
French equivalent of "my cup of tea"
Is there some sort of French saying for "a person's signature move"?
Why there is no wireless switch?
What is the purpose of the rotating plate in front of the lock?
SQL Always On COPY ONLY backups - what's the point if I cant restore the AG from these backups?
Types of tablet... a tablet secretion
In-universe, why does Doc Brown program the time machine to go to 1955?
Undefined Hamiltonian for this particular Lagrangian
Looking for the comic book where Spider-Man was [mistakenly] addressed as Super-Man
Prove that a function is bijective and show that G is a group
Is the interior of a Bag of Holding actually an extradimensional space?
How do I delete cookies from a specific site?
What are some countries where you can be imprisoned for reading or owning a Bible?
Spring Boot how to hide passwords in properties file
How I can encrypt/decrypt Spring boot server propertiesHow to store application.properites values using manifest.yml to contain passwords?Hide passwords in application properties of Spring boot applicationapplication.properties spring boot value injectionCan i load username and password by file in spring boot + hibernate?JPA datasorce ignores username in properties fileHow to hide the password in the command “java -Djasypt.encryptor.password=somepassword -jar name.jar”Securing database in springbootSecuring a Spring boot api rest serviceSpring SMTP MailProperties - Do I have to store the password in plaintext?How can I inject a property value into a Spring Bean which was configured using annotations?How do I check if a file exists in Java?How to avoid Java code in JSP files?How to configure port for a Spring Boot applicationConfigure DataSource programmatically in Spring BootHow to log SQL statements in Spring Boot?Remove “Using default security password” on Spring BootProcess Spring Boot externalized property valuesWhat is the difference between putting a property on application.yml or bootstrap.yml in spring boot?How I can encrypt/decrypt Spring boot server properties
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Spring Boot uses the properties file, and at least by default, the passwords are in plain text. Is it possible to somehow hide/decrypt these?
java spring spring-boot
edited May 24 '16 at 7:22
Ali Dehghani
29.4k9 gold badges106 silver badges117 bronze badges
asked May 24 '16 at 4:57
user1340582user1340582
7,23125 gold badges96 silver badges149 bronze badges
add a comment |
Spring Boot uses the properties file, and at least by default, the passwords are in plain text. Is it possible to somehow hide/decrypt these?
java spring spring-boot
edited May 24 '16 at 7:22
Ali Dehghani
29.4k9 gold badges106 silver badges117 bronze badges
asked May 24 '16 at 4:57
user1340582user1340582
7,23125 gold badges96 silver badges149 bronze badges
add a comment |
Spring Boot uses the properties file, and at least by default, the passwords are in plain text. Is it possible to somehow hide/decrypt these?
java spring spring-boot
edited May 24 '16 at 7:22
Ali Dehghani
29.4k9 gold badges106 silver badges117 bronze badges
asked May 24 '16 at 4:57
user1340582user1340582
7,23125 gold badges96 silver badges149 bronze badges
Spring Boot uses the properties file, and at least by default, the passwords are in plain text. Is it possible to somehow hide/decrypt these?
java spring spring-boot
java spring spring-boot
edited May 24 '16 at 7:22
Ali Dehghani
29.4k9 gold badges106 silver badges117 bronze badges
asked May 24 '16 at 4:57
user1340582user1340582
7,23125 gold badges96 silver badges149 bronze badges
edited May 24 '16 at 7:22
Ali Dehghani
29.4k9 gold badges106 silver badges117 bronze badges
asked May 24 '16 at 4:57
user1340582user1340582
7,23125 gold badges96 silver badges149 bronze badges
edited May 24 '16 at 7:22
Ali Dehghani
29.4k9 gold badges106 silver badges117 bronze badges
edited May 24 '16 at 7:22
Ali Dehghani
29.4k9 gold badges106 silver badges117 bronze badges
edited May 24 '16 at 7:22
Ali Dehghani
29.4k9 gold badges106 silver badges117 bronze badges
29.4k9 gold badges106 silver badges117 bronze badges
asked May 24 '16 at 4:57
user1340582user1340582
7,23125 gold badges96 silver badges149 bronze badges
asked May 24 '16 at 4:57
user1340582user1340582
7,23125 gold badges96 silver badges149 bronze badges
asked May 24 '16 at 4:57
user1340582user1340582
7,23125 gold badges96 silver badges149 bronze badges
7,23125 gold badges96 silver badges149 bronze badges
add a comment |
add a comment |
4 Answers
4
active
oldest
votes
You can use Jasypt to encrypt properties, so you could have your property like this:
db.password=ENC(XcBjfjDDjxeyFBoaEPhG14wEzc6Ja+Xx+hNPrJyQT88=)
Jasypt allows you to encrypt your properties using different algorithms, once you get the encrypted property you put inside the ENC(...). For instance, you can encrypt this way through Jasypt using the terminal:
encrypted-pwd$ java -cp ~/.m2/repository/org/jasypt/jasypt/1.9.2/jasypt-1.9.2.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="contactspassword" password=supersecretz algorithm=PBEWithMD5AndDES
----ENVIRONMENT-----------------
Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 24.45-b08
----ARGUMENTS-------------------
algorithm: PBEWithMD5AndDES
input: contactspassword
password: supersecretz
----OUTPUT----------------------
XcBjfjDDjxeyFBoaEPhG14wEzc6Ja+Xx+hNPrJyQT88=
To easily configure it with Spring Boot you can use its starter jasypt-spring-boot-starter with group ID com.github.ulisesbocchio
Keep in mind, that you will need to start your application using the same password you used to encrypt the properties. So, you can start your app this way:
mvn -Djasypt.encryptor.password=supersecretz spring-boot:run
Or using the environment variable (thanks to spring boot relaxed binding):
export JASYPT_ENCRYPTOR_PASSWORD=supersecretz
mvn spring-boot:run
You can check below link for more details:
https://www.ricston.com/blog/encrypting-properties-in-spring-boot-with-jasypt-spring-boot/
To use your encrypted properties in your app just use it as usual, use either method you like (Spring Boot wires the magic, anyway the property must be of course in the classpath):
Using @Value annotation
@Value("$db.password")
private String password;
Or using Environment
@Autowired
private Environment environment;
public void doSomething(Environment env)
System.out.println(env.getProperty("db.password"));
Update: for production environment, to avoid exposing the password in the command line, since you can query the processes with ps, previous commands with history, etc etc. You could:
- Create a script like this:
touch setEnv.sh - Edit
setEnv.shto export theJASYPT_ENCRYPTOR_PASSWORDvariable
#!/bin/bash
export JASYPT_ENCRYPTOR_PASSWORD=supersecretz
- Execute the file with
. setEnv.sh - Run the app in background with
mvn spring-boot:run & - Delete the file
setEnv.sh - Unset the previous environment variable with:
unset JASYPT_ENCRYPTOR_PASSWORD
answered May 24 '16 at 21:34
Federico PiazzaFederico Piazza
22k9 gold badges54 silver badges90 bronze badges
2
Could you please explain more in details using gradle @Frerica Piazza
– Johir
Jan 10 '17 at 12:30
It is not clear about using with maven. you pass some property and what further? Where property file? how to ise this value in code?
– gstackoverflow
Oct 2 '17 at 16:03
1
@FedericoPiazza Isn'tmvn -Djasypt.encryptor.password=supersecretz spring-boot:rungoing to show up in thepsoutput, exposing the password?
– Srki Rakic
Dec 27 '18 at 22:17
1
@SrkiRakic yes, of course. This is just for development, if you want it for production you should use environment variables. Spring boot allows you to useJASYPT_ENCRYPTOR_PASSWORD
– Federico Piazza
Dec 28 '18 at 11:33
1
haha and how does it get into environment variables? Probably from another file like service difinition :D Also jasypt is outdated when it comes to password derivation so make sure to use totally random 32 character password
– Roman Plášil
Mar 7 at 3:35
|
show 7 more comments
Spring Cloud Config Server will allow this type of behavior. Using JCE you can setup a key on the server and use it to cipher the apps properties.
http://cloud.spring.io/spring-cloud-config/spring-cloud-config.html
answered May 24 '16 at 5:25
codecode
2,3552 gold badges17 silver badges36 bronze badges
add a comment |
If you want to hide your passwords then the easiest solution is to use Environment variables in application.properties file or directly in your code.
In application.properties:
mypassword=$password
Then in your configuration class:
@Autowired
private Environment environment;
[...]//Inside a method
System.out.println(environment.getProperty("mypassword"));
In your configuration class:
@Value("$password")
private String herokuPath;
[...]//Inside a method
System.out.println(herokuPath);
Note: You might have to restart after setting environment variable.
For windows:
Refer this Documentation for more info.
answered May 24 '16 at 21:26
Sanjay RawatSanjay Rawat
1,6958 silver badges23 bronze badges
17
I do not think setting the master password in the environment vars is such a good idea. The password is now more exposed than necessary. Providing it a startup as shown by Federico is less exposed and more "secure" than setting it in the environment.
– Jaavaaan
Sep 14 '16 at 6:11
Yaa, its not if you are using shared computer. But if you are the only administrator of your computer then no other user can see the env vars. I answered the hiding part and the easier one. But yes, I agree Federico's suggested method is way better.
– Sanjay Rawat
Sep 16 '16 at 5:30
Please see: diogomonica.com/2017/03/27/…
– Book Of Zeus
Jan 30 at 15:38
add a comment |
To the already proposed solutions I can add an option to configure an external Secrets Manager such as Vault.
- Configure Vault Server
vault server -dev(Only for DEV and not for PROD) - Write secrets
vault write secret/somename key1=value1 key2=value2 - Verify secrets
vault read secret/somename
Add the following dependency to your SpringBoot project:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-vault-config</artifactId>
</dependency>
Add Vault config properties:
spring.cloud.vault.host=localhost
spring.cloud.vault.port=8200
spring.cloud.vault.scheme=http
spring.cloud.vault.authentication=token
spring.cloud.vault.token=$VAULT_TOKEN
Pass VAULT_TOKEN as an environment variable.
Refer to the documentation here.
There is a Spring Vault project which is also can be used for accessing, storing and revoking secrets.
Dependency:
<dependency>
<groupId>org.springframework.vault</groupId>
<artifactId>spring-vault-core</artifactId>
</dependency>
Configuring Vault Template:
@Configuration
class VaultConfiguration extends AbstractVaultConfiguration
@Override
public VaultEndpoint vaultEndpoint()
return new VaultEndpoint();
@Override
public ClientAuthentication clientAuthentication()
return new TokenAuthentication("…");
Inject and use VaultTemplate:
public class Example
@Autowired
private VaultOperations operations;
public void writeSecrets(String userId, String password)
Map<String, String> data = new HashMap<String, String>();
data.put("password", password);
operations.write(userId, data);
public Person readSecrets(String userId)
VaultResponseSupport<Person> response = operations.read(userId, Person.class);
return response.getBody();
Use Vault PropertySource:
@VaultPropertySource(value = "aws/creds/s3",
propertyNamePrefix = "aws."
renewal = Renewal.RENEW)
public class Config
Usage example:
public class S3Client
// inject the actual values
@Value("$aws.access_key")
private String awsAccessKey;
@Value("$aws.secret_key")
private String awsSecretKey;
public InputStream getFileFromS3(String filenname)
// …
answered Jan 11 at 11:21
J-AlexJ-Alex
4,5787 gold badges28 silver badges44 bronze badges
+1 for this solution. Using a system like vault / etcd (or any other) is the way to go. diogomonica.com/2017/03/27/…
– Book Of Zeus
Jan 30 at 15:38
2
-1 because this doesn't explain how the "master" key (VAULT_TOKEN) is secured. Where did the VAULT_TOKEN environment variable come from? How is it secured? Without protecting that key, the attacker can use it to retrieve the secrets from the vault using the code packaged in the Spring Boot jar.
– corporatedrone
Mar 28 at 2:33
Also securing prod is the main issue. So, it has to be spoken here. Guidance for Dev/QA environments if fine.
– sofs1
Aug 18 at 0:41
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f37404703%2fspring-boot-how-to-hide-passwords-in-properties-file%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can use Jasypt to encrypt properties, so you could have your property like this:
db.password=ENC(XcBjfjDDjxeyFBoaEPhG14wEzc6Ja+Xx+hNPrJyQT88=)
Jasypt allows you to encrypt your properties using different algorithms, once you get the encrypted property you put inside the ENC(...). For instance, you can encrypt this way through Jasypt using the terminal:
encrypted-pwd$ java -cp ~/.m2/repository/org/jasypt/jasypt/1.9.2/jasypt-1.9.2.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="contactspassword" password=supersecretz algorithm=PBEWithMD5AndDES
----ENVIRONMENT-----------------
Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 24.45-b08
----ARGUMENTS-------------------
algorithm: PBEWithMD5AndDES
input: contactspassword
password: supersecretz
----OUTPUT----------------------
XcBjfjDDjxeyFBoaEPhG14wEzc6Ja+Xx+hNPrJyQT88=
To easily configure it with Spring Boot you can use its starter jasypt-spring-boot-starter with group ID com.github.ulisesbocchio
Keep in mind, that you will need to start your application using the same password you used to encrypt the properties. So, you can start your app this way:
mvn -Djasypt.encryptor.password=supersecretz spring-boot:run
Or using the environment variable (thanks to spring boot relaxed binding):
export JASYPT_ENCRYPTOR_PASSWORD=supersecretz
mvn spring-boot:run
You can check below link for more details:
https://www.ricston.com/blog/encrypting-properties-in-spring-boot-with-jasypt-spring-boot/
To use your encrypted properties in your app just use it as usual, use either method you like (Spring Boot wires the magic, anyway the property must be of course in the classpath):
Using @Value annotation
@Value("$db.password")
private String password;
Or using Environment
@Autowired
private Environment environment;
public void doSomething(Environment env)
System.out.println(env.getProperty("db.password"));
Update: for production environment, to avoid exposing the password in the command line, since you can query the processes with ps, previous commands with history, etc etc. You could:
- Create a script like this:
touch setEnv.sh - Edit
setEnv.shto export theJASYPT_ENCRYPTOR_PASSWORDvariable
#!/bin/bash
export JASYPT_ENCRYPTOR_PASSWORD=supersecretz
- Execute the file with
. setEnv.sh - Run the app in background with
mvn spring-boot:run & - Delete the file
setEnv.sh - Unset the previous environment variable with:
unset JASYPT_ENCRYPTOR_PASSWORD
answered May 24 '16 at 21:34
Federico PiazzaFederico Piazza
22k9 gold badges54 silver badges90 bronze badges
2
Could you please explain more in details using gradle @Frerica Piazza
– Johir
Jan 10 '17 at 12:30
It is not clear about using with maven. you pass some property and what further? Where property file? how to ise this value in code?
– gstackoverflow
Oct 2 '17 at 16:03
1
@FedericoPiazza Isn'tmvn -Djasypt.encryptor.password=supersecretz spring-boot:rungoing to show up in thepsoutput, exposing the password?
– Srki Rakic
Dec 27 '18 at 22:17
1
@SrkiRakic yes, of course. This is just for development, if you want it for production you should use environment variables. Spring boot allows you to useJASYPT_ENCRYPTOR_PASSWORD
– Federico Piazza
Dec 28 '18 at 11:33
1
haha and how does it get into environment variables? Probably from another file like service difinition :D Also jasypt is outdated when it comes to password derivation so make sure to use totally random 32 character password
– Roman Plášil
Mar 7 at 3:35
|
show 7 more comments
You can use Jasypt to encrypt properties, so you could have your property like this:
db.password=ENC(XcBjfjDDjxeyFBoaEPhG14wEzc6Ja+Xx+hNPrJyQT88=)
Jasypt allows you to encrypt your properties using different algorithms, once you get the encrypted property you put inside the ENC(...). For instance, you can encrypt this way through Jasypt using the terminal:
encrypted-pwd$ java -cp ~/.m2/repository/org/jasypt/jasypt/1.9.2/jasypt-1.9.2.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="contactspassword" password=supersecretz algorithm=PBEWithMD5AndDES
----ENVIRONMENT-----------------
Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 24.45-b08
----ARGUMENTS-------------------
algorithm: PBEWithMD5AndDES
input: contactspassword
password: supersecretz
----OUTPUT----------------------
XcBjfjDDjxeyFBoaEPhG14wEzc6Ja+Xx+hNPrJyQT88=
To easily configure it with Spring Boot you can use its starter jasypt-spring-boot-starter with group ID com.github.ulisesbocchio
Keep in mind, that you will need to start your application using the same password you used to encrypt the properties. So, you can start your app this way:
mvn -Djasypt.encryptor.password=supersecretz spring-boot:run
Or using the environment variable (thanks to spring boot relaxed binding):
export JASYPT_ENCRYPTOR_PASSWORD=supersecretz
mvn spring-boot:run
You can check below link for more details:
https://www.ricston.com/blog/encrypting-properties-in-spring-boot-with-jasypt-spring-boot/
To use your encrypted properties in your app just use it as usual, use either method you like (Spring Boot wires the magic, anyway the property must be of course in the classpath):
Using @Value annotation
@Value("$db.password")
private String password;
Or using Environment
@Autowired
private Environment environment;
public void doSomething(Environment env)
System.out.println(env.getProperty("db.password"));
Update: for production environment, to avoid exposing the password in the command line, since you can query the processes with ps, previous commands with history, etc etc. You could:
- Create a script like this:
touch setEnv.sh - Edit
setEnv.shto export theJASYPT_ENCRYPTOR_PASSWORDvariable
#!/bin/bash
export JASYPT_ENCRYPTOR_PASSWORD=supersecretz
- Execute the file with
. setEnv.sh - Run the app in background with
mvn spring-boot:run & - Delete the file
setEnv.sh - Unset the previous environment variable with:
unset JASYPT_ENCRYPTOR_PASSWORD
answered May 24 '16 at 21:34
Federico PiazzaFederico Piazza
22k9 gold badges54 silver badges90 bronze badges
2
Could you please explain more in details using gradle @Frerica Piazza
– Johir
Jan 10 '17 at 12:30
It is not clear about using with maven. you pass some property and what further? Where property file? how to ise this value in code?
– gstackoverflow
Oct 2 '17 at 16:03
1
@FedericoPiazza Isn'tmvn -Djasypt.encryptor.password=supersecretz spring-boot:rungoing to show up in thepsoutput, exposing the password?
– Srki Rakic
Dec 27 '18 at 22:17
1
@SrkiRakic yes, of course. This is just for development, if you want it for production you should use environment variables. Spring boot allows you to useJASYPT_ENCRYPTOR_PASSWORD
– Federico Piazza
Dec 28 '18 at 11:33
1
haha and how does it get into environment variables? Probably from another file like service difinition :D Also jasypt is outdated when it comes to password derivation so make sure to use totally random 32 character password
– Roman Plášil
Mar 7 at 3:35
|
show 7 more comments
You can use Jasypt to encrypt properties, so you could have your property like this:
db.password=ENC(XcBjfjDDjxeyFBoaEPhG14wEzc6Ja+Xx+hNPrJyQT88=)
Jasypt allows you to encrypt your properties using different algorithms, once you get the encrypted property you put inside the ENC(...). For instance, you can encrypt this way through Jasypt using the terminal:
encrypted-pwd$ java -cp ~/.m2/repository/org/jasypt/jasypt/1.9.2/jasypt-1.9.2.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="contactspassword" password=supersecretz algorithm=PBEWithMD5AndDES
----ENVIRONMENT-----------------
Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 24.45-b08
----ARGUMENTS-------------------
algorithm: PBEWithMD5AndDES
input: contactspassword
password: supersecretz
----OUTPUT----------------------
XcBjfjDDjxeyFBoaEPhG14wEzc6Ja+Xx+hNPrJyQT88=
To easily configure it with Spring Boot you can use its starter jasypt-spring-boot-starter with group ID com.github.ulisesbocchio
Keep in mind, that you will need to start your application using the same password you used to encrypt the properties. So, you can start your app this way:
mvn -Djasypt.encryptor.password=supersecretz spring-boot:run
Or using the environment variable (thanks to spring boot relaxed binding):
export JASYPT_ENCRYPTOR_PASSWORD=supersecretz
mvn spring-boot:run
You can check below link for more details:
https://www.ricston.com/blog/encrypting-properties-in-spring-boot-with-jasypt-spring-boot/
To use your encrypted properties in your app just use it as usual, use either method you like (Spring Boot wires the magic, anyway the property must be of course in the classpath):
Using @Value annotation
@Value("$db.password")
private String password;
Or using Environment
@Autowired
private Environment environment;
public void doSomething(Environment env)
System.out.println(env.getProperty("db.password"));
Update: for production environment, to avoid exposing the password in the command line, since you can query the processes with ps, previous commands with history, etc etc. You could:
- Create a script like this:
touch setEnv.sh - Edit
setEnv.shto export theJASYPT_ENCRYPTOR_PASSWORDvariable
#!/bin/bash
export JASYPT_ENCRYPTOR_PASSWORD=supersecretz
- Execute the file with
. setEnv.sh - Run the app in background with
mvn spring-boot:run & - Delete the file
setEnv.sh - Unset the previous environment variable with:
unset JASYPT_ENCRYPTOR_PASSWORD
answered May 24 '16 at 21:34
Federico PiazzaFederico Piazza
22k9 gold badges54 silver badges90 bronze badges
You can use Jasypt to encrypt properties, so you could have your property like this:
db.password=ENC(XcBjfjDDjxeyFBoaEPhG14wEzc6Ja+Xx+hNPrJyQT88=)
Jasypt allows you to encrypt your properties using different algorithms, once you get the encrypted property you put inside the ENC(...). For instance, you can encrypt this way through Jasypt using the terminal:
encrypted-pwd$ java -cp ~/.m2/repository/org/jasypt/jasypt/1.9.2/jasypt-1.9.2.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="contactspassword" password=supersecretz algorithm=PBEWithMD5AndDES
----ENVIRONMENT-----------------
Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 24.45-b08
----ARGUMENTS-------------------
algorithm: PBEWithMD5AndDES
input: contactspassword
password: supersecretz
----OUTPUT----------------------
XcBjfjDDjxeyFBoaEPhG14wEzc6Ja+Xx+hNPrJyQT88=
To easily configure it with Spring Boot you can use its starter jasypt-spring-boot-starter with group ID com.github.ulisesbocchio
Keep in mind, that you will need to start your application using the same password you used to encrypt the properties. So, you can start your app this way:
mvn -Djasypt.encryptor.password=supersecretz spring-boot:run
Or using the environment variable (thanks to spring boot relaxed binding):
export JASYPT_ENCRYPTOR_PASSWORD=supersecretz
mvn spring-boot:run
You can check below link for more details:
https://www.ricston.com/blog/encrypting-properties-in-spring-boot-with-jasypt-spring-boot/
To use your encrypted properties in your app just use it as usual, use either method you like (Spring Boot wires the magic, anyway the property must be of course in the classpath):
Using @Value annotation
@Value("$db.password")
private String password;
Or using Environment
@Autowired
private Environment environment;
public void doSomething(Environment env)
System.out.println(env.getProperty("db.password"));
Update: for production environment, to avoid exposing the password in the command line, since you can query the processes with ps, previous commands with history, etc etc. You could:
- Create a script like this:
touch setEnv.sh - Edit
setEnv.shto export theJASYPT_ENCRYPTOR_PASSWORDvariable
#!/bin/bash
export JASYPT_ENCRYPTOR_PASSWORD=supersecretz
- Execute the file with
. setEnv.sh - Run the app in background with
mvn spring-boot:run & - Delete the file
setEnv.sh - Unset the previous environment variable with:
unset JASYPT_ENCRYPTOR_PASSWORD
answered May 24 '16 at 21:34
Federico PiazzaFederico Piazza
22k9 gold badges54 silver badges90 bronze badges
edited Mar 28 at 4:46
answered May 24 '16 at 21:34
Federico PiazzaFederico Piazza
22k9 gold badges54 silver badges90 bronze badges
answered May 24 '16 at 21:34
Federico PiazzaFederico Piazza
22k9 gold badges54 silver badges90 bronze badges
answered May 24 '16 at 21:34
Federico PiazzaFederico Piazza
22k9 gold badges54 silver badges90 bronze badges
22k9 gold badges54 silver badges90 bronze badges
2
Could you please explain more in details using gradle @Frerica Piazza
– Johir
Jan 10 '17 at 12:30
It is not clear about using with maven. you pass some property and what further? Where property file? how to ise this value in code?
– gstackoverflow
Oct 2 '17 at 16:03
1
@FedericoPiazza Isn'tmvn -Djasypt.encryptor.password=supersecretz spring-boot:rungoing to show up in thepsoutput, exposing the password?
– Srki Rakic
Dec 27 '18 at 22:17
1
@SrkiRakic yes, of course. This is just for development, if you want it for production you should use environment variables. Spring boot allows you to useJASYPT_ENCRYPTOR_PASSWORD
– Federico Piazza
Dec 28 '18 at 11:33
1
haha and how does it get into environment variables? Probably from another file like service difinition :D Also jasypt is outdated when it comes to password derivation so make sure to use totally random 32 character password
– Roman Plášil
Mar 7 at 3:35
|
show 7 more comments
2
Could you please explain more in details using gradle @Frerica Piazza
– Johir
Jan 10 '17 at 12:30
It is not clear about using with maven. you pass some property and what further? Where property file? how to ise this value in code?
– gstackoverflow
Oct 2 '17 at 16:03
1
@FedericoPiazza Isn'tmvn -Djasypt.encryptor.password=supersecretz spring-boot:rungoing to show up in thepsoutput, exposing the password?
– Srki Rakic
Dec 27 '18 at 22:17
1
@SrkiRakic yes, of course. This is just for development, if you want it for production you should use environment variables. Spring boot allows you to useJASYPT_ENCRYPTOR_PASSWORD
– Federico Piazza
Dec 28 '18 at 11:33
1
haha and how does it get into environment variables? Probably from another file like service difinition :D Also jasypt is outdated when it comes to password derivation so make sure to use totally random 32 character password
– Roman Plášil
Mar 7 at 3:35
2
2
Could you please explain more in details using gradle @Frerica Piazza
– Johir
Jan 10 '17 at 12:30
Could you please explain more in details using gradle @Frerica Piazza
– Johir
Jan 10 '17 at 12:30
It is not clear about using with maven. you pass some property and what further? Where property file? how to ise this value in code?
– gstackoverflow
Oct 2 '17 at 16:03
It is not clear about using with maven. you pass some property and what further? Where property file? how to ise this value in code?
– gstackoverflow
Oct 2 '17 at 16:03
1
1
@FedericoPiazza Isn't
mvn -Djasypt.encryptor.password=supersecretz spring-boot:run going to show up in the ps output, exposing the password?– Srki Rakic
Dec 27 '18 at 22:17
@FedericoPiazza Isn't
mvn -Djasypt.encryptor.password=supersecretz spring-boot:run going to show up in the ps output, exposing the password?– Srki Rakic
Dec 27 '18 at 22:17
1
1
@SrkiRakic yes, of course. This is just for development, if you want it for production you should use environment variables. Spring boot allows you to use
JASYPT_ENCRYPTOR_PASSWORD– Federico Piazza
Dec 28 '18 at 11:33
@SrkiRakic yes, of course. This is just for development, if you want it for production you should use environment variables. Spring boot allows you to use
JASYPT_ENCRYPTOR_PASSWORD– Federico Piazza
Dec 28 '18 at 11:33
1
1
haha and how does it get into environment variables? Probably from another file like service difinition :D Also jasypt is outdated when it comes to password derivation so make sure to use totally random 32 character password
– Roman Plášil
Mar 7 at 3:35
haha and how does it get into environment variables? Probably from another file like service difinition :D Also jasypt is outdated when it comes to password derivation so make sure to use totally random 32 character password
– Roman Plášil
Mar 7 at 3:35
|
show 7 more comments
Spring Cloud Config Server will allow this type of behavior. Using JCE you can setup a key on the server and use it to cipher the apps properties.
http://cloud.spring.io/spring-cloud-config/spring-cloud-config.html
answered May 24 '16 at 5:25
codecode
2,3552 gold badges17 silver badges36 bronze badges
add a comment |
Spring Cloud Config Server will allow this type of behavior. Using JCE you can setup a key on the server and use it to cipher the apps properties.
http://cloud.spring.io/spring-cloud-config/spring-cloud-config.html
answered May 24 '16 at 5:25
codecode
2,3552 gold badges17 silver badges36 bronze badges
add a comment |
Spring Cloud Config Server will allow this type of behavior. Using JCE you can setup a key on the server and use it to cipher the apps properties.
http://cloud.spring.io/spring-cloud-config/spring-cloud-config.html
answered May 24 '16 at 5:25
codecode
2,3552 gold badges17 silver badges36 bronze badges
Spring Cloud Config Server will allow this type of behavior. Using JCE you can setup a key on the server and use it to cipher the apps properties.
http://cloud.spring.io/spring-cloud-config/spring-cloud-config.html
answered May 24 '16 at 5:25
codecode
2,3552 gold badges17 silver badges36 bronze badges
answered May 24 '16 at 5:25
codecode
2,3552 gold badges17 silver badges36 bronze badges
answered May 24 '16 at 5:25
codecode
2,3552 gold badges17 silver badges36 bronze badges
answered May 24 '16 at 5:25
codecode
2,3552 gold badges17 silver badges36 bronze badges
2,3552 gold badges17 silver badges36 bronze badges
add a comment |
add a comment |
If you want to hide your passwords then the easiest solution is to use Environment variables in application.properties file or directly in your code.
In application.properties:
mypassword=$password
Then in your configuration class:
@Autowired
private Environment environment;
[...]//Inside a method
System.out.println(environment.getProperty("mypassword"));
In your configuration class:
@Value("$password")
private String herokuPath;
[...]//Inside a method
System.out.println(herokuPath);
Note: You might have to restart after setting environment variable.
For windows:
Refer this Documentation for more info.
answered May 24 '16 at 21:26
Sanjay RawatSanjay Rawat
1,6958 silver badges23 bronze badges
17
I do not think setting the master password in the environment vars is such a good idea. The password is now more exposed than necessary. Providing it a startup as shown by Federico is less exposed and more "secure" than setting it in the environment.
– Jaavaaan
Sep 14 '16 at 6:11
Yaa, its not if you are using shared computer. But if you are the only administrator of your computer then no other user can see the env vars. I answered the hiding part and the easier one. But yes, I agree Federico's suggested method is way better.
– Sanjay Rawat
Sep 16 '16 at 5:30
Please see: diogomonica.com/2017/03/27/…
– Book Of Zeus
Jan 30 at 15:38
add a comment |
If you want to hide your passwords then the easiest solution is to use Environment variables in application.properties file or directly in your code.
In application.properties:
mypassword=$password
Then in your configuration class:
@Autowired
private Environment environment;
[...]//Inside a method
System.out.println(environment.getProperty("mypassword"));
In your configuration class:
@Value("$password")
private String herokuPath;
[...]//Inside a method
System.out.println(herokuPath);
Note: You might have to restart after setting environment variable.
For windows:
Refer this Documentation for more info.
answered May 24 '16 at 21:26
Sanjay RawatSanjay Rawat
1,6958 silver badges23 bronze badges
17
I do not think setting the master password in the environment vars is such a good idea. The password is now more exposed than necessary. Providing it a startup as shown by Federico is less exposed and more "secure" than setting it in the environment.
– Jaavaaan
Sep 14 '16 at 6:11
Yaa, its not if you are using shared computer. But if you are the only administrator of your computer then no other user can see the env vars. I answered the hiding part and the easier one. But yes, I agree Federico's suggested method is way better.
– Sanjay Rawat
Sep 16 '16 at 5:30
Please see: diogomonica.com/2017/03/27/…
– Book Of Zeus
Jan 30 at 15:38
add a comment |
If you want to hide your passwords then the easiest solution is to use Environment variables in application.properties file or directly in your code.
In application.properties:
mypassword=$password
Then in your configuration class:
@Autowired
private Environment environment;
[...]//Inside a method
System.out.println(environment.getProperty("mypassword"));
In your configuration class:
@Value("$password")
private String herokuPath;
[...]//Inside a method
System.out.println(herokuPath);
Note: You might have to restart after setting environment variable.
For windows:
Refer this Documentation for more info.
answered May 24 '16 at 21:26
Sanjay RawatSanjay Rawat
1,6958 silver badges23 bronze badges
If you want to hide your passwords then the easiest solution is to use Environment variables in application.properties file or directly in your code.
In application.properties:
mypassword=$password
Then in your configuration class:
@Autowired
private Environment environment;
[...]//Inside a method
System.out.println(environment.getProperty("mypassword"));
In your configuration class:
@Value("$password")
private String herokuPath;
[...]//Inside a method
System.out.println(herokuPath);
Note: You might have to restart after setting environment variable.
For windows:
Refer this Documentation for more info.
answered May 24 '16 at 21:26
Sanjay RawatSanjay Rawat
1,6958 silver badges23 bronze badges
answered May 24 '16 at 21:26
Sanjay RawatSanjay Rawat
1,6958 silver badges23 bronze badges
answered May 24 '16 at 21:26
Sanjay RawatSanjay Rawat
1,6958 silver badges23 bronze badges
answered May 24 '16 at 21:26
Sanjay RawatSanjay Rawat
1,6958 silver badges23 bronze badges
1,6958 silver badges23 bronze badges
17
I do not think setting the master password in the environment vars is such a good idea. The password is now more exposed than necessary. Providing it a startup as shown by Federico is less exposed and more "secure" than setting it in the environment.
– Jaavaaan
Sep 14 '16 at 6:11
Yaa, its not if you are using shared computer. But if you are the only administrator of your computer then no other user can see the env vars. I answered the hiding part and the easier one. But yes, I agree Federico's suggested method is way better.
– Sanjay Rawat
Sep 16 '16 at 5:30
Please see: diogomonica.com/2017/03/27/…
– Book Of Zeus
Jan 30 at 15:38
add a comment |
17
I do not think setting the master password in the environment vars is such a good idea. The password is now more exposed than necessary. Providing it a startup as shown by Federico is less exposed and more "secure" than setting it in the environment.
– Jaavaaan
Sep 14 '16 at 6:11
Yaa, its not if you are using shared computer. But if you are the only administrator of your computer then no other user can see the env vars. I answered the hiding part and the easier one. But yes, I agree Federico's suggested method is way better.
– Sanjay Rawat
Sep 16 '16 at 5:30
Please see: diogomonica.com/2017/03/27/…
– Book Of Zeus
Jan 30 at 15:38
17
17
I do not think setting the master password in the environment vars is such a good idea. The password is now more exposed than necessary. Providing it a startup as shown by Federico is less exposed and more "secure" than setting it in the environment.
– Jaavaaan
Sep 14 '16 at 6:11
I do not think setting the master password in the environment vars is such a good idea. The password is now more exposed than necessary. Providing it a startup as shown by Federico is less exposed and more "secure" than setting it in the environment.
– Jaavaaan
Sep 14 '16 at 6:11
Yaa, its not if you are using shared computer. But if you are the only administrator of your computer then no other user can see the env vars. I answered the hiding part and the easier one. But yes, I agree Federico's suggested method is way better.
– Sanjay Rawat
Sep 16 '16 at 5:30
Yaa, its not if you are using shared computer. But if you are the only administrator of your computer then no other user can see the env vars. I answered the hiding part and the easier one. But yes, I agree Federico's suggested method is way better.
– Sanjay Rawat
Sep 16 '16 at 5:30
Please see: diogomonica.com/2017/03/27/…
– Book Of Zeus
Jan 30 at 15:38
Please see: diogomonica.com/2017/03/27/…
– Book Of Zeus
Jan 30 at 15:38
add a comment |
To the already proposed solutions I can add an option to configure an external Secrets Manager such as Vault.
- Configure Vault Server
vault server -dev(Only for DEV and not for PROD) - Write secrets
vault write secret/somename key1=value1 key2=value2 - Verify secrets
vault read secret/somename
Add the following dependency to your SpringBoot project:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-vault-config</artifactId>
</dependency>
Add Vault config properties:
spring.cloud.vault.host=localhost
spring.cloud.vault.port=8200
spring.cloud.vault.scheme=http
spring.cloud.vault.authentication=token
spring.cloud.vault.token=$VAULT_TOKEN
Pass VAULT_TOKEN as an environment variable.
Refer to the documentation here.
There is a Spring Vault project which is also can be used for accessing, storing and revoking secrets.
Dependency:
<dependency>
<groupId>org.springframework.vault</groupId>
<artifactId>spring-vault-core</artifactId>
</dependency>
Configuring Vault Template:
@Configuration
class VaultConfiguration extends AbstractVaultConfiguration
@Override
public VaultEndpoint vaultEndpoint()
return new VaultEndpoint();
@Override
public ClientAuthentication clientAuthentication()
return new TokenAuthentication("…");
Inject and use VaultTemplate:
public class Example
@Autowired
private VaultOperations operations;
public void writeSecrets(String userId, String password)
Map<String, String> data = new HashMap<String, String>();
data.put("password", password);
operations.write(userId, data);
public Person readSecrets(String userId)
VaultResponseSupport<Person> response = operations.read(userId, Person.class);
return response.getBody();
Use Vault PropertySource:
@VaultPropertySource(value = "aws/creds/s3",
propertyNamePrefix = "aws."
renewal = Renewal.RENEW)
public class Config
Usage example:
public class S3Client
// inject the actual values
@Value("$aws.access_key")
private String awsAccessKey;
@Value("$aws.secret_key")
private String awsSecretKey;
public InputStream getFileFromS3(String filenname)
// …
answered Jan 11 at 11:21
J-AlexJ-Alex
4,5787 gold badges28 silver badges44 bronze badges
+1 for this solution. Using a system like vault / etcd (or any other) is the way to go. diogomonica.com/2017/03/27/…
– Book Of Zeus
Jan 30 at 15:38
2
-1 because this doesn't explain how the "master" key (VAULT_TOKEN) is secured. Where did the VAULT_TOKEN environment variable come from? How is it secured? Without protecting that key, the attacker can use it to retrieve the secrets from the vault using the code packaged in the Spring Boot jar.
– corporatedrone
Mar 28 at 2:33
Also securing prod is the main issue. So, it has to be spoken here. Guidance for Dev/QA environments if fine.
– sofs1
Aug 18 at 0:41
add a comment |
To the already proposed solutions I can add an option to configure an external Secrets Manager such as Vault.
- Configure Vault Server
vault server -dev(Only for DEV and not for PROD) - Write secrets
vault write secret/somename key1=value1 key2=value2 - Verify secrets
vault read secret/somename
Add the following dependency to your SpringBoot project:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-vault-config</artifactId>
</dependency>
Add Vault config properties:
spring.cloud.vault.host=localhost
spring.cloud.vault.port=8200
spring.cloud.vault.scheme=http
spring.cloud.vault.authentication=token
spring.cloud.vault.token=$VAULT_TOKEN
Pass VAULT_TOKEN as an environment variable.
Refer to the documentation here.
There is a Spring Vault project which is also can be used for accessing, storing and revoking secrets.
Dependency:
<dependency>
<groupId>org.springframework.vault</groupId>
<artifactId>spring-vault-core</artifactId>
</dependency>
Configuring Vault Template:
@Configuration
class VaultConfiguration extends AbstractVaultConfiguration
@Override
public VaultEndpoint vaultEndpoint()
return new VaultEndpoint();
@Override
public ClientAuthentication clientAuthentication()
return new TokenAuthentication("…");
Inject and use VaultTemplate:
public class Example
@Autowired
private VaultOperations operations;
public void writeSecrets(String userId, String password)
Map<String, String> data = new HashMap<String, String>();
data.put("password", password);
operations.write(userId, data);
public Person readSecrets(String userId)
VaultResponseSupport<Person> response = operations.read(userId, Person.class);
return response.getBody();
Use Vault PropertySource:
@VaultPropertySource(value = "aws/creds/s3",
propertyNamePrefix = "aws."
renewal = Renewal.RENEW)
public class Config
Usage example:
public class S3Client
// inject the actual values
@Value("$aws.access_key")
private String awsAccessKey;
@Value("$aws.secret_key")
private String awsSecretKey;
public InputStream getFileFromS3(String filenname)
// …
answered Jan 11 at 11:21
J-AlexJ-Alex
4,5787 gold badges28 silver badges44 bronze badges
+1 for this solution. Using a system like vault / etcd (or any other) is the way to go. diogomonica.com/2017/03/27/…
– Book Of Zeus
Jan 30 at 15:38
2
-1 because this doesn't explain how the "master" key (VAULT_TOKEN) is secured. Where did the VAULT_TOKEN environment variable come from? How is it secured? Without protecting that key, the attacker can use it to retrieve the secrets from the vault using the code packaged in the Spring Boot jar.
– corporatedrone
Mar 28 at 2:33
Also securing prod is the main issue. So, it has to be spoken here. Guidance for Dev/QA environments if fine.
– sofs1
Aug 18 at 0:41
add a comment |
To the already proposed solutions I can add an option to configure an external Secrets Manager such as Vault.
- Configure Vault Server
vault server -dev(Only for DEV and not for PROD) - Write secrets
vault write secret/somename key1=value1 key2=value2 - Verify secrets
vault read secret/somename
Add the following dependency to your SpringBoot project:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-vault-config</artifactId>
</dependency>
Add Vault config properties:
spring.cloud.vault.host=localhost
spring.cloud.vault.port=8200
spring.cloud.vault.scheme=http
spring.cloud.vault.authentication=token
spring.cloud.vault.token=$VAULT_TOKEN
Pass VAULT_TOKEN as an environment variable.
Refer to the documentation here.
There is a Spring Vault project which is also can be used for accessing, storing and revoking secrets.
Dependency:
<dependency>
<groupId>org.springframework.vault</groupId>
<artifactId>spring-vault-core</artifactId>
</dependency>
Configuring Vault Template:
@Configuration
class VaultConfiguration extends AbstractVaultConfiguration
@Override
public VaultEndpoint vaultEndpoint()
return new VaultEndpoint();
@Override
public ClientAuthentication clientAuthentication()
return new TokenAuthentication("…");
Inject and use VaultTemplate:
public class Example
@Autowired
private VaultOperations operations;
public void writeSecrets(String userId, String password)
Map<String, String> data = new HashMap<String, String>();
data.put("password", password);
operations.write(userId, data);
public Person readSecrets(String userId)
VaultResponseSupport<Person> response = operations.read(userId, Person.class);
return response.getBody();
Use Vault PropertySource:
@VaultPropertySource(value = "aws/creds/s3",
propertyNamePrefix = "aws."
renewal = Renewal.RENEW)
public class Config
Usage example:
public class S3Client
// inject the actual values
@Value("$aws.access_key")
private String awsAccessKey;
@Value("$aws.secret_key")
private String awsSecretKey;
public InputStream getFileFromS3(String filenname)
// …
answered Jan 11 at 11:21
J-AlexJ-Alex
4,5787 gold badges28 silver badges44 bronze badges
To the already proposed solutions I can add an option to configure an external Secrets Manager such as Vault.
- Configure Vault Server
vault server -dev(Only for DEV and not for PROD) - Write secrets
vault write secret/somename key1=value1 key2=value2 - Verify secrets
vault read secret/somename
Add the following dependency to your SpringBoot project:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-vault-config</artifactId>
</dependency>
Add Vault config properties:
spring.cloud.vault.host=localhost
spring.cloud.vault.port=8200
spring.cloud.vault.scheme=http
spring.cloud.vault.authentication=token
spring.cloud.vault.token=$VAULT_TOKEN
Pass VAULT_TOKEN as an environment variable.
Refer to the documentation here.
There is a Spring Vault project which is also can be used for accessing, storing and revoking secrets.
Dependency:
<dependency>
<groupId>org.springframework.vault</groupId>
<artifactId>spring-vault-core</artifactId>
</dependency>
Configuring Vault Template:
@Configuration
class VaultConfiguration extends AbstractVaultConfiguration
@Override
public VaultEndpoint vaultEndpoint()
return new VaultEndpoint();
@Override
public ClientAuthentication clientAuthentication()
return new TokenAuthentication("…");
Inject and use VaultTemplate:
public class Example
@Autowired
private VaultOperations operations;
public void writeSecrets(String userId, String password)
Map<String, String> data = new HashMap<String, String>();
data.put("password", password);
operations.write(userId, data);
public Person readSecrets(String userId)
VaultResponseSupport<Person> response = operations.read(userId, Person.class);
return response.getBody();
Use Vault PropertySource:
@VaultPropertySource(value = "aws/creds/s3",
propertyNamePrefix = "aws."
renewal = Renewal.RENEW)
public class Config
Usage example:
public class S3Client
// inject the actual values
@Value("$aws.access_key")
private String awsAccessKey;
@Value("$aws.secret_key")
private String awsSecretKey;
public InputStream getFileFromS3(String filenname)
// …
answered Jan 11 at 11:21
J-AlexJ-Alex
4,5787 gold badges28 silver badges44 bronze badges
answered Jan 11 at 11:21
J-AlexJ-Alex
4,5787 gold badges28 silver badges44 bronze badges
answered Jan 11 at 11:21
J-AlexJ-Alex
4,5787 gold badges28 silver badges44 bronze badges
answered Jan 11 at 11:21
J-AlexJ-Alex
4,5787 gold badges28 silver badges44 bronze badges
4,5787 gold badges28 silver badges44 bronze badges
+1 for this solution. Using a system like vault / etcd (or any other) is the way to go. diogomonica.com/2017/03/27/…
– Book Of Zeus
Jan 30 at 15:38
2
-1 because this doesn't explain how the "master" key (VAULT_TOKEN) is secured. Where did the VAULT_TOKEN environment variable come from? How is it secured? Without protecting that key, the attacker can use it to retrieve the secrets from the vault using the code packaged in the Spring Boot jar.
– corporatedrone
Mar 28 at 2:33
Also securing prod is the main issue. So, it has to be spoken here. Guidance for Dev/QA environments if fine.
– sofs1
Aug 18 at 0:41
add a comment |
+1 for this solution. Using a system like vault / etcd (or any other) is the way to go. diogomonica.com/2017/03/27/…
– Book Of Zeus
Jan 30 at 15:38
2
-1 because this doesn't explain how the "master" key (VAULT_TOKEN) is secured. Where did the VAULT_TOKEN environment variable come from? How is it secured? Without protecting that key, the attacker can use it to retrieve the secrets from the vault using the code packaged in the Spring Boot jar.
– corporatedrone
Mar 28 at 2:33
Also securing prod is the main issue. So, it has to be spoken here. Guidance for Dev/QA environments if fine.
– sofs1
Aug 18 at 0:41
+1 for this solution. Using a system like vault / etcd (or any other) is the way to go. diogomonica.com/2017/03/27/…
– Book Of Zeus
Jan 30 at 15:38
+1 for this solution. Using a system like vault / etcd (or any other) is the way to go. diogomonica.com/2017/03/27/…
– Book Of Zeus
Jan 30 at 15:38
2
2
-1 because this doesn't explain how the "master" key (VAULT_TOKEN) is secured. Where did the VAULT_TOKEN environment variable come from? How is it secured? Without protecting that key, the attacker can use it to retrieve the secrets from the vault using the code packaged in the Spring Boot jar.
– corporatedrone
Mar 28 at 2:33
-1 because this doesn't explain how the "master" key (VAULT_TOKEN) is secured. Where did the VAULT_TOKEN environment variable come from? How is it secured? Without protecting that key, the attacker can use it to retrieve the secrets from the vault using the code packaged in the Spring Boot jar.
– corporatedrone
Mar 28 at 2:33
Also securing prod is the main issue. So, it has to be spoken here. Guidance for Dev/QA environments if fine.
– sofs1
Aug 18 at 0:41
Also securing prod is the main issue. So, it has to be spoken here. Guidance for Dev/QA environments if fine.
– sofs1
Aug 18 at 0:41
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f37404703%2fspring-boot-how-to-hide-passwords-in-properties-file%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
