• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Jeanne Boyarsky
  • Tim Cooke
Sheriffs:
  • Knute Snortum
  • Junilu Lacar
  • Devaka Cooray
Saloon Keepers:
  • Ganesh Patekar
  • Tim Moores
  • Carey Brown
  • Stephan van Hulst
  • salvin francis
Bartenders:
  • Ron McLeod
  • Frits Walraven
  • Pete Letkeman

store Encrypted password in config file then decrypt the password to use in application  RSS feed

 
Ranch Hand
Posts: 624
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a executable application(jar) which pick credentials of the target application(cloud) from a YAML(cofiguration) file. User enters those credentials manually. The YAML file is loaded once in the single lifecycle of application/jar.
Until now, application was designed to pick the text password from file, but now came a requirement where the text format is not allowed to store in the YAML file. Because client doesn't want to let everybody know the password.
Is there any way I can store the encrypted password in the YAML file and then the application pick that encrypted password and then decrypt it and pass it to the target application(cloud)?
 
Saloon Keeper
Posts: 9401
181
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You say that users enter credentials manually into the configuration file, but how are they going to do that if the credentials need to be encrypted?

Doesn't the cloud service support an authentication standard such as OAuth? That way you don't have to mess around with passwords.
 
Author and ninkuma
Marshal
Posts: 66826
168
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you do end up handling the passwords yourself (but give serious thought to Stephan's suggestion), they should never be decryptable. Rather, when the user enters a password, you encrypt that using the same scheme as the stored password and compare the encrypted versions. If the two passwords  are identical they will encrypt to the same value.

If you can decrypt a password, so can anyone else, so always use an non-decryptable scheme.
 
Sheriff
Posts: 12556
206
Android Debian Eclipse IDE IntelliJ IDE Java Linux Mac Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Check out the Jasypt Project - I've used this in past projects to avoid keeping system credentials from being stored in plain text. Of course, you should have multiple layers of security on top of this, like access control lists (ACL), limited privileges, physical security, etc. By "system" credentials, I mean things like DB passwords, generic user accounts, and other things not pertaining to individual users of the system.
 
lowercase baba
Bartender
Posts: 12628
50
Chrome Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
 
Junilu Lacar
Sheriff
Posts: 12556
206
Android Debian Eclipse IDE IntelliJ IDE Java Linux Mac Spring Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm sure there's no disagreement that regular user credentials / passphrases should be hashed, not encrypted.

However, I believe that OP is talking about system credentials, that are part of an automated authentication process.  One way to do automated authentication, of course, is to use SSH key authentication. But that won't work for everything. What if your company policy is to have a generic user assigned to your application, then you have to use that generic user's credentials for database connections and things like that? That's where tools like Jasypt come in handy. Like I said, I used this tool on past projects and it was fine for what we needed, and for a security-related application no less. Again, this is not and should be your only line of defense -- you should have a multi-layered security strategy to protect secrets and confidential assets.

What we did was to use Jasypt to encrypt the DB password and then keep the encrypted string in our application's config file.  We integrated Jasypt into the application startup process where the operator had to key in the passphrase. We used randomly generated passphrases that were kept secure in password manager programs. We had a schedule for changing those passphrases at regular intervals and a process for distributing the password manager databases securely to people who needed them. For other cases, we kept the passphrases as environment settings on servers to which ACLs limited privileges and access.
 
Bartender
Posts: 1856
81
Android Chrome IntelliJ IDE Java MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I came across Vault the other day which may help out.

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.


You can read about this project here https://www.vaultproject.io/intro/index.html
This integrates with Spring and Spring Boot fairly easily.
 
Pete Letkeman
Bartender
Posts: 1856
81
Android Chrome IntelliJ IDE Java MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here is a link to Spring Vault along with some sample code http://projects.spring.io/spring-vault/. This may be better then my previous post, or at least augment it a bit.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!