Automatic Decryption in Java with Jasypt: A Guide to Secure Property Management

  • Technical How To's
  • Automatic Decryption in Java with Jasypt: A Guide to Secure Property Management

Security is a critical concern in modern applications, especially when handling sensitive information such as database credentials, API keys, and user secrets. Java applications, particularly those using Spring Boot, often require a way to securely store and manage sensitive properties. One effective approach is using Jasypt (Java Simplified Encryption), which provides seamless encryption and automatic decryption of configuration properties.

In this article, we will explore how Jasypt automatically decrypts encrypted properties in Java applications, particularly in Spring Boot, ensuring both security and ease of use.

What is Jasypt?

Jasypt (Java Simplified Encryption) is a library designed to simplify encryption and decryption tasks in Java applications. It supports various encryption algorithms, including PBEWITHHMACSHA256ANDAES_128, making it a powerful tool for securing application properties.

With Jasypt, you can store encrypted values in your application.properties or application.yml files and have them automatically decrypted at runtime by Spring Boot.

How Jasypt Automatically Decrypts Properties in Spring Boot

Spring Boot applications can leverage Jasypt to automatically decrypt properties prefixed with ENC(). When the application starts, Jasypt intercepts the encrypted values, decrypts them using the configured algorithm and password, and injects the plaintext values into the application context.

1. Adding Jasypt to Your Project

To enable Jasypt in a Spring Boot application, you need to add the following dependency to your pom.xml file:

<dependency>
    <groupId>com.github.ulisesbocchio</groupId>
    <artifactId>jasypt-spring-boot-starter</artifactId>
    <version>3.0.5</version>
</dependency>

For Gradle users, add:

implementation 'com.github.ulisesbocchio:jasypt-spring-boot-starter:3.0.5'

2. Encrypting Sensitive Properties

Jasypt allows you to encrypt sensitive information such as database passwords. You can generate an encrypted value using Jasypt’s CLI tool or programmatically.

Example of an encrypted password stored in application.properties:

spring.datasource.password=ENC(7BLHiP5xriXhRHfGUU8qyZ4lyxa/KZum99o8T0YSiWTGpeTvkYXbb+WPquiHRtlr)

3. Providing the Encryption Password

To decrypt the properties at runtime, you must provide the encryption password (secret key). You can specify this password in several ways:

  • As an environment variable: 
    export JASYPT_ENCRYPTOR_PASSWORD=your-secret-password
  • In application.properties (not recommended for production): 
    jasypt.encryptor.password=your-secret-password
  • As a system property when running the application: 
    java -Djasypt.encryptor.password=your-secret-password -jar your-application.jar

4. Configuring Jasypt in Spring Boot

To ensure proper decryption, configure Jasypt settings in application.properties or application.yml:

jasypt.encryptor.algorithm=PBEWITHHMACSHA256ANDAES_128
jasypt.encryptor.iv-generator-classname=org.jasypt.iv.RandomIvGenerator

This configuration ensures the use of AES-128 encryption with HMACSHA256 for security and random IV generation for additional protection.

5. How Jasypt Works Internally

  1. Spring Boot loads configuration properties from application.properties or application.yml.
  2. Jasypt identifies properties with ENC() prefixes.
  3. Decryption occurs using the provided secret key and algorithm.
  4. Plaintext values are injected into the application context, making them accessible as normal properties.

Example: Decrypting Properties in Java Code

You can manually decrypt values within your Java application using Jasypt’s API:

import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;

public class JasyptDecryption {
    public static void main(String[] args) {
        StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
        encryptor.setPassword("your-encryption-password"); // Replace with actual password
        encryptor.setAlgorithm("PBEWITHHMACSHA256ANDAES_128");
        
        String encryptedText = "7BLHiP5xriXhRHfGUU8qyZ4lyxa/KZum99o8T0YSiWTGpeTvkYXbb+WPquiHRtlr";
        String decryptedText = encryptor.decrypt(encryptedText);
        
        System.out.println("Decrypted Text: " + decryptedText);
    }
}

This approach allows decryption within Java code if needed outside of Spring Boot’s automatic decryption mechanism.

Troubleshooting Jasypt Automatic Decryption

  1. Decryption Fails with ENC() Prefix Not Being Processed
    • Ensure that jasypt-spring-boot-starter is correctly added as a dependency.
    • Verify that JASYPT_ENCRYPTOR_PASSWORD is correctly set in the environment.
  2. Incorrect Algorithm Used
    • Ensure that the same algorithm used for encryption is specified in jasypt.encryptor.algorithm.
  3. Application Not Starting Due to Missing Dependencies
    • Check that your Spring Boot version is compatible with the Jasypt version.

Conclusion

Jasypt simplifies encryption and decryption of sensitive properties in Java applications, especially when used with Spring Boot. By leveraging automatic decryption with ENC() prefixes, applications can securely manage sensitive information without manual intervention.

By following this guide, you can seamlessly integrate Jasypt into your Spring Boot project, ensuring a higher level of security for your application’s configuration data.

This article is inspired by real-world challenges we tackle in our projects. If you're looking for expert solutions or need a team to bring your idea to life,

Let's talk!

    Please fill your details, and we will contact you back

    Related Posts

    In:

    Apple APNs Certificate Update: What OneSignal Users Need to Know

    In:

    How to Block Outgoing Emails to Specific Domains in Postfix

    In:

    Mastering SQL DELETE Queries with JOIN: A Comprehensive Guide

      Please fill your details, and we will contact you back