2

I have a spring boot application that stores certain passwords which are used by another application(App2) to get connections to databases.

I want to encrypt these passwords such that they can be decoded in App2 if a key is available. What's the best way to go about it?

BCrypt does not serve my purpose as I also need to decode the data

Improve this question

2 Answers 2

Reset to default
4

You can use AES Encryption Algorithm , here example on encryption and decryption in java :

private static final String ALGO = "AES";
private static final byte[] keyValue = new byte[] { 'T', 'E', 'S', 'T' };


/**
 * Encrypt a string using AES encryption algorithm.
 *
 * @param pwd the password to be encrypted
 * @return the encrypted string
 */
public static String encrypt(String pwd) {
    String encodedPwd = "";
    try {
        Key key = generateKey();
        Cipher c = Cipher.getInstance(ALGO);
        c.init(Cipher.ENCRYPT_MODE, key);
        byte[] encVal = c.doFinal(pwd.getBytes());
        encodedPwd = Base64.getEncoder().encodeToString(encVal);

    } catch (Exception e) {

        e.printStackTrace();
    }
    return encodedPwd;

}

/**
 * Decrypt a string with AES encryption algorithm.
 *
 * @param encryptedData the data to be decrypted
 * @return the decrypted string
 */
public static String decrypt(String encryptedData) {
    String decodedPWD = "";
    try {
        Key key = generateKey();
        Cipher c = Cipher.getInstance(ALGO);
        c.init(Cipher.DECRYPT_MODE, key);
        byte[] decordedValue = Base64.getDecoder().decode(encryptedData);
        byte[] decValue = c.doFinal(decordedValue);
        decodedPWD = new String(decValue);

    } catch (Exception e) {

    }
    return decodedPWD;
}

/**
 * Generate a new encryption key.
 */
private static Key generateKey() {
    SecretKeySpec key = new SecretKeySpec(keyValue, ALGO);
    return key;
}

let's test the example in main method

public static void main(String[]args) {

    System.out.println(encrypt("password"));
    System.out.println(decrypt(encrypt("password")));

}

the result : 

LGB7fIm4PtaRA0L0URK4RA==
password
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Hi The solution looks good but since I am using Spring Boot,I directly made use of TextEncryptor.
2

Use a TextEncryptor as you are already using Spring. The password and salt that you use when you create one represent your secret:

Encryptors.text("password", "salt");
Improve this answer

9 Comments

Hi TextEncrypter looks good but would possibly result in me storing the password and salt in properties file.Is there a way to make it more secure?
Regardless of what super-secure algorithm you decide on you will need to store the secret somewhere. Can't see a way around that. You can store them encrypted but then you need the key to encrypt them and where will you get that? You can store them obfuscated (for example base64) to prevent them from being seen, but that is no real security either.
Hi Thanks for the help! Just one more thing ,while implementing TextEncryptor I get : Unable to initialize due to invalid secret key which is caused due to JCE. How do I include JCE in my spring boot application?
Java Version : 8u191,so JCE shouldn't really be a problem causing parameter
It sounds very much like forum.spring.io/forum/spring-projects/security/….
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.