配置文件加密 - jasypt加密法

基于安全需求，禁止使用硬编码方式将密码写入代码中，更不能直接将明文密码写入到配置文件中，针对此安全需求建议使用 jasypt加密法。

Java Simplified Encryption

Jasypt is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.

• High-security, standards-based encryption techniques, both for unidirectional and bidirectional encryption. Encrypt passwords, texts, numbers, binaries...
• Transparent integration with Hibernate.
• Suitable for integration into Spring-based applications and also transparently integrable with Spring Security.
• Integrated capabilities for encrypting the configuration of applications (i.e. datasources).
• Specific features for high-performance encryption in multi-processor/multi-core systems.
• Open API for use with any JCE provider.

如何使用

1.maven项目中引入jar

<dependency>
 <groupId>com.github.ulisesbocchio</groupId>
 <artifactId>jasypt-spring-boot-starter</artifactId>
 <version>2.1.0</version>
</dependency>

2.编写jasypt工具类对明文密码加密

public class JasyptUtils {
//    配置项
    public static SimpleStringPBEConfig cryptor(String password){
        SimpleStringPBEConfig config = new SimpleStringPBEConfig();
        config.setPassword(password);
        config.setAlgorithm("PBEWithMD5AndDES");
        config.setKeyObtentionIterations("1000");
        config.setPoolSize("1");
        config.setProviderName("SunJCE");
        config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator");
        config.setStringOutputType("base64");
        return config;
    }
//    加密 salt就是自己定义的密码
    public static String encrypt(String salt, String value){
        PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
        encryptor.setConfig(cryptor(salt));
        return encryptor.encrypt(value);
    }
//    解密
    public static String decrypt(String salt, String value){
        PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
        encryptor.setConfig(cryptor(salt));
        return encryptor.decrypt(value);
    }

}

3.或者使用jasypt  command line 加解密

        3.1下载地址https://github.com/jasypt/jasypt/releases/download/jasypt-1.9.3/jasypt-1.9.3-dist.zip

        3.2 jasypt-1.9.3-dist\jasypt-1.9.3\bin 目录表下

• A set of .bat files for Windows execution:
  • encrypt.bat: for PBE (Password Based Encryption) encryption operations.
  • decrypt.bat: for PBE (Password Based Encryption) decryption operations.
  • digest.bat: for message digest operations.
  • listAlgorithms.bat: for listing the digest and PBE encryption algorithms available in your JVM.

• A set of .sh files for Linux/UNIX execution:
  • encrypt.sh: for PBE (Password Based Encryption) encryption operations.
  • decrypt.sh: for PBE (Password Based Encryption) decryption operations.
  • digest.sh: for message digest operations.
  • listAlgorithms.sh: for listing the digest and PBE encryption algorithms available in your JVM.

例如：.

./encrypt.sh input="This is my message to be encrypted" password=MYPAS_WORD

4.获得密串修改配置文件

entry_password:
  aes_key: ENC(ZrkJasasasdfwefR5FDaW0Du6xODF/uuuuu=)
  aesutils_key: ENC(gIypv0H5qwwddd/ooooo=)

注：获得的秘串要用 ENC(...)包裹起来，用以  jasypt 解密

5.发布项目

发布项目时我们可以把密码写进linux的环境变量中，通过以下方式启动项目时获取

-Djasypt.encryptor.password=%MY_PASSWORD% -Djasypt.encryptor.algorithm=%MY_ALGORITHM%

或者直接写进启动配置中

6.jasypt的源码分析

参考本站大佬的const伐伐spring boot使用jasypt加密原理解析文章