#TodayILearned: many #security-aware #java developers are wondering how to supply #password #encryption to properties files for application #configurations, like for #Hibernate and #Spring. Obviously the last thing we want is to store our passwords in plain text, when those configuration files are shared publicly on GitHub or via other source control channels.
 
And if you research, you quickly become aware that "it's turtles all the way down."  
 
Just look at the amount of times questions pertaining to that topic have been posed on StackOverflow, Reddit, G+, Experts Exchange, etc. One would think that the java API designers had thought up a solution by now. (Talking to you, #Oracle and the Java community.)
 
You'll find #Jasypt. Its library allows us to encrypt and decrypt, and place encrypted values in the Spring application configuration. But it's lacking something important: how does Jasypt keep its encryption keys private?
 
We need a secure, local place, that we can deploy onto an application server, but not share in source control. That local place needs to provide access to encryption keys.  
 
Then our program can use that key to encrypt and decrypt values in such a way, that only encrypted passwords make it into source code.  
 
Almost.
 
Because that local secure place can be a PKCS#12 #keystore, in which case you need an access password. And that's the bottom turtle that doesn't get encrypted.
 
But that seems OK: the keystore access password provides access only to a local keystore. One that isn't shared. One that gets created locally. One that can have a different password for every server.
And every keystore.
 
Inside that keystore we add a password-protected encryption key. We choose the algorithm, the iterations, the salt, the password, and its alias. We do this using the command line.
 
Our program then must be configured to read the key from that keystore. Once obtained, we can use it to encrypt our passwords and other valuable data.  
 
The encrypted values get stored in whatever file, and can be shared publicly if the encryption algorithm is strong enough.  
 
Our program can then read the encrypted values, and decrypt them using the same encryption key.
 
I have created a java cryptography library that does just that. And I won't be the only dev out here who did that.
 
And that, in my eyes, is a sign that the java API designers don't take us, developers seriously. They've added all these security providers for all these encryption algorithms. They've added ways to access keystores. But they didn't add a default way to read encrypted properties from a file. Each of us concerned citizens has to do that again, and again, and again.
 
I'm not allowed to share my cryptography utility's source code. But I can tell you it took me a week of research and 2 days of programming and testing.
 
And I hope that I will never have to do that again.
 
Happy crypting!
 
0
0 Comments

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month