I have a executable application(jar) which pick credentials of the target application(cloud) from a YAML(cofiguration) file. User enters those credentials manually. The YAML file is loaded once in the single lifecycle of application/jar.
Until now, application was designed to pick the text password from file, but now came a requirement where the text format is not allowed to store in the YAML file. Because client doesn't want to let everybody know the password.
Is there any way I can store the encrypted password in the YAML file and then the application pick that encrypted password and then decrypt it and pass it to the target application(cloud)?
If you do end up handling the passwords yourself (but give serious thought to Stephan's suggestion), they should never be decryptable. Rather, when the user enters a password, you encrypt that using the same scheme as the stored password and compare the encrypted versions. If the two passwords are identical they will encrypt to the same value.
If you can decrypt a password, so can anyone else, so always use an non-decryptable scheme.
Check out the Jasypt Project - I've used this in past projects to avoid keeping system credentials from being stored in plain text. Of course, you should have multiple layers of security on top of this, like access control lists (ACL), limited privileges, physical security, etc. By "system" credentials, I mean things like DB passwords, generic user accounts, and other things not pertaining to individual users of the system.
I'm sure there's no disagreement that regular user credentials / passphrases should be hashed, not encrypted.
However, I believe that OP is talking about system credentials, that are part of an automated authentication process. One way to do automated authentication, of course, is to use SSH key authentication. But that won't work for everything. What if your company policy is to have a generic user assigned to your application, then you have to use that generic user's credentials for database connections and things like that? That's where tools like Jasypt come in handy. Like I said, I used this tool on past projects and it was fine for what we needed, and for a security-related application no less. Again, this is not and should be your only line of defense -- you should have a multi-layered security strategy to protect secrets and confidential assets.
What we did was to use Jasypt to encrypt the DB password and then keep the encrypted string in our application's config file. We integrated Jasypt into the application startup process where the operator had to key in the passphrase. We used randomly generated passphrases that were kept secure in password manager programs. We had a schedule for changing those passphrases at regular intervals and a process for distributing the password manager databases securely to people who needed them. For other cases, we kept the passphrases as environment settings on servers to which ACLs limited privileges and access.
I came across Vault the other day which may help out.
Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.