Preface
In our daily development, we may expose the database password directly in the configuration file at will. This can be done in the development environment, but it is not recommended in the production environment. After all, security is no small matter, and no one knows it. The sky password was leaked somehow. Today, let’s talk about how to encrypt the database password in the springboot project.
text
Solution 1: Use the druid database connection pool to encrypt the database password
1. Introduce druid package in pom.xml
In order to facilitate other operations, the starter of druid is directly introduced here
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid-spring-boot-starter</artifactId>
<version>${druid.version}</version>
</dependency>2. Use com.alibaba.druid.filter.config.ConfigTools to generate public and private keys
ps: , one is generated by command line, and the other is generated directly by writing a tool class. The examples in this article are directly generated using tool classes
The tool code is as follows
/**
* alibaba druid加解密规则:
* 明文密码+私钥(privateKey)加密=加密密码
* 加密密码+公钥(publicKey)解密=明文密码
*/
public final class DruidEncryptorUtils {
private static String privateKey;
private static String publicKey;
static {
try {
String[] keyPair = ConfigTools.genKeyPair(512);
privateKey = keyPair[0];
System.out.println(String.format("privateKey-->%s",privateKey));
publicKey = keyPair[1];
System.out.println(String.format("publicKey-->%s",publicKey));
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (NoSuchProviderException e) {
e.printStackTrace();
}
}
/**
* 明文加密
* @param plaintext
* @return
*/
@SneakyThrows
public static String encode(String plaintext){
System.out.println("明文字符串:" + plaintext);
String ciphertext = ConfigTools.encrypt(privateKey,plaintext);
System.out.println("加密后字符串:" + ciphertext);
return ciphertext;
}
/**
* 解密
* @param ciphertext
* @return
*/
@SneakyThrows
public static String decode(String ciphertext){
System.out.println("加密字符串:" + ciphertext);
String plaintext = ConfigTools.decrypt(publicKey,ciphertext);
System.out.println("解密后的字符串:" + plaintext);
return plaintext;
}
3. Modify the content information of the database configuration file
a, modify password
Replace the password with the password generated by the tool class DruidEncryptorUtils
password: ${DATASOURCE_PWD:HB5FmUeAI1U81YJrT/T6awImFg1/Az5o8imy765WkVJouOubC2H80jqmZrr8L9zWKuzS/8aGzuQ4YySAkhywnA==}b, filter open config
filter:
config:
enabled: truec, configure connectionProperties properties
connection-properties: config.decrypt=true;config.decrypt.key=${spring.datasource.publickey}ps: spring.datasource.publickey is the public key generated by the tool class
Appendix: complete database configuration
spring:
datasource:
type: com.alibaba.druid.pool.DruidDataSource
driverClassName: com.mysql.cj.jdbc.Driver
url: ${DATASOURCE_URL:jdbc:mysql://localhost:3306/demo?useUnicode=true&characterEncoding=utf8&useSSL=false&serverTimezone=Asia/Shanghai}
username: ${DATASOURCE_USERNAME:root}
password: ${DATASOURCE_PWD:HB5FmUeAI1U81YJrT/T6awImFg1/Az5o8imy765WkVJouOubC2H80jqmZrr8L9zWKuzS/8aGzuQ4YySAkhywnA==}
publickey: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAIvP9xF4RCM4oFiu47NZY15iqNOAB9K2Ml9fiTLa05CWaXK7uFwBImR7xltZM1frl6ahWAXJB6a/FSjtJkTZUJECAwEAAQ==
druid:
# 初始连接数
initialSize: 5
# 最小连接池数量
minIdle: 10
# 最大连接池数量
maxActive: 20
# 配置获取连接等待超时的时间
maxWait: 60000
# 配置间隔多久才进行一次检测,检测需要关闭的空闲连接,单位是毫秒
timeBetweenEvictionRunsMillis: 60000
# 配置一个连接在池中最小生存的时间,单位是毫秒
minEvictableIdleTimeMillis: 300000
# 配置一个连接在池中最大生存的时间,单位是毫秒
maxEvictableIdleTimeMillis: 900000
# 配置检测连接是否有效
validationQuery: SELECT 1 FROM DUAL
testWhileIdle: true
testOnBorrow: false
testOnReturn: false
webStatFilter:
enabled: true
statViewServlet:
enabled: true
# 设置白名单,不填则允许所有访问
allow:
url-pattern: /druid/*
# 控制台管理用户名和密码
login-username:
login-password:
filter:
stat:
enabled: true
# 慢SQL记录
log-slow-sql: true
slow-sql-millis: 1000
merge-sql: true
wall:
config:
multi-statement-allow: true
config:
enabled: true
connection-properties: config.decrypt=true;config.decrypt.key=${spring.datasource.publickey}
Option 2: Use jasypt to encrypt the database password
1. Introduce the jasypt package into pom.xml
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>${jasypt.verison}</version>
</dependency>2. Use the tools provided by jasypt to encrypt the plaintext password
Encryption tools are as follows
public final class JasyptEncryptorUtils {
private static final String salt = "lybgeek";
private static BasicTextEncryptor basicTextEncryptor = new BasicTextEncryptor();
static {
basicTextEncryptor.setPassword(salt);
}
private JasyptEncryptorUtils(){}
/**
* 明文加密
* @param plaintext
* @return
*/
public static String encode(String plaintext){
System.out.println("明文字符串:" + plaintext);
String ciphertext = basicTextEncryptor.encrypt(plaintext);
System.out.println("加密后字符串:" + ciphertext);
return ciphertext;
}
/**
* 解密
* @param ciphertext
* @return
*/
public static String decode(String ciphertext){
System.out.println("加密字符串:" + ciphertext);
ciphertext = "ENC(" + ciphertext + ")";
if (PropertyValueEncryptionUtils.isEncryptedValue(ciphertext)){
String plaintext = PropertyValueEncryptionUtils.decrypt(ciphertext,basicTextEncryptor);
System.out.println("解密后的字符串:" + plaintext);
return plaintext;
}
System.out.println("解密失败");
return "";
}
}3. Modify the content information of the database configuration file
a, Wrap the encrypted string generated with JasyptEncryptorUtils with ENC
password: ${DATASOURCE_PWD:ENC(P8m43qmzqN4c07DCTPey4Q==)}b, configuration key and specified encryption and decryption algorithm
jasypt:
encryptor:
password: lybgeek
algorithm: PBEWithMD5AndDES
iv-generator-classname: org.jasypt.iv.NoIvGeneratorBecause my tool class uses the encryption and decryption tool class is BasicTextEncryptor, its corresponding configuration encryption and decryption is PBEWithMD5AndDES and org.jasypt.iv.NoIvGenerator
ps: In a production environment, it is recommended to use the following method to configure the key to avoid key leakage
java -jar -Djasypt.encryptor.password=lybgeekAppendix: complete database configuration
spring:
datasource:
type: com.alibaba.druid.pool.DruidDataSource
driverClassName: com.mysql.cj.jdbc.Driver
url: ${DATASOURCE_URL:ENC(kT/gwazwzaFNEp7OCbsgCQN7PHRohaTKJNdGVgLsW2cH67zqBVEq7mN0BTIXAeF4/Fvv4l7myLFx0y6ap4umod7C2VWgyRU5UQtKmdwzQN3hxVxktIkrFPn9DM6+YahM0xP+ppO9HaWqA2ral0ejBCvmor3WScJNHCAhI9kHjYc=)}
username: ${DATASOURCE_USERNAME:ENC(rEQLlqM5nphqnsuPj3MlJw==)}
password: ${DATASOURCE_PWD:ENC(P8m43qmzqN4c07DCTPey4Q==)}
druid:
# 初始连接数
initialSize: 5
# 最小连接池数量
minIdle: 10
# 最大连接池数量
maxActive: 20
# 配置获取连接等待超时的时间
maxWait: 60000
# 配置间隔多久才进行一次检测,检测需要关闭的空闲连接,单位是毫秒
timeBetweenEvictionRunsMillis: 60000
# 配置一个连接在池中最小生存的时间,单位是毫秒
minEvictableIdleTimeMillis: 300000
# 配置一个连接在池中最大生存的时间,单位是毫秒
maxEvictableIdleTimeMillis: 900000
# 配置检测连接是否有效
validationQuery: SELECT 1 FROM DUAL
testWhileIdle: true
testOnBorrow: false
testOnReturn: false
webStatFilter:
enabled: true
statViewServlet:
enabled: true
# 设置白名单,不填则允许所有访问
allow:
url-pattern: /druid/*
# 控制台管理用户名和密码
login-username:
login-password:
filter:
stat:
enabled: true
# 慢SQL记录
log-slow-sql: true
slow-sql-millis: 1000
merge-sql: true
wall:
config:
multi-statement-allow: true
jasypt:
encryptor:
password: lybgeek
algorithm: PBEWithMD5AndDES
iv-generator-classname: org.jasypt.iv.NoIvGeneratorOption three: custom implementation
implementation principle: uses spring post processor to modify DataSource
1. Custom encryption and decryption tools
/**
* 利用hutool封装的加解密工具,以AES对称加密算法为例
*/
public final class EncryptorUtils {
private static String secretKey;
static {
secretKey = Hex.encodeHexString(SecureUtil.generateKey(SymmetricAlgorithm.AES.getValue()).getEncoded());
System.out.println("secretKey-->" + secretKey);
System.out.println("--------------------------------------------------------------------------------------");
}
/**
* 明文加密
* @param plaintext
* @return
*/
@SneakyThrows
public static String encode(String plaintext){
System.out.println("明文字符串:" + plaintext);
byte[] key = Hex.decodeHex(secretKey.toCharArray());
String ciphertext = SecureUtil.aes(key).encryptHex(plaintext);
System.out.println("加密后字符串:" + ciphertext);
return ciphertext;
}
/**
* 解密
* @param ciphertext
* @return
*/
@SneakyThrows
public static String decode(String ciphertext){
System.out.println("加密字符串:" + ciphertext);
byte[] key = Hex.decodeHex(secretKey.toCharArray());
String plaintext = SecureUtil.aes(key).decryptStr(ciphertext);
System.out.println("解密后的字符串:" + plaintext);
return plaintext;
}
/**
* 明文加密
* @param plaintext
* @return
*/
@SneakyThrows
public static String encode(String secretKey,String plaintext){
System.out.println("明文字符串:" + plaintext);
byte[] key = Hex.decodeHex(secretKey.toCharArray());
String ciphertext = SecureUtil.aes(key).encryptHex(plaintext);
System.out.println("加密后字符串:" + ciphertext);
return ciphertext;
}
/**
* 解密
* @param ciphertext
* @return
*/
@SneakyThrows
public static String decode(String secretKey,String ciphertext){
System.out.println("加密字符串:" + ciphertext);
byte[] key = Hex.decodeHex(secretKey.toCharArray());
String plaintext = SecureUtil.aes(key).decryptStr(ciphertext);
System.out.println("解密后的字符串:" + plaintext);
return plaintext;
}
}
2. Write a post processor
public class DruidDataSourceEncyptBeanPostProcessor implements BeanPostProcessor {
private CustomEncryptProperties customEncryptProperties;
private DataSourceProperties dataSourceProperties;
public DruidDataSourceEncyptBeanPostProcessor(CustomEncryptProperties customEncryptProperties, DataSourceProperties dataSourceProperties) {
this.customEncryptProperties = customEncryptProperties;
this.dataSourceProperties = dataSourceProperties;
}
@Override
public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
if(bean instanceof DruidDataSource){
if(customEncryptProperties.isEnabled()){
DruidDataSource druidDataSource = (DruidDataSource)bean;
System.out.println("--------------------------------------------------------------------------------------");
String username = dataSourceProperties.getUsername();
druidDataSource.setUsername(EncryptorUtils.decode(customEncryptProperties.getSecretKey(),username));
System.out.println("--------------------------------------------------------------------------------------");
String password = dataSourceProperties.getPassword();
druidDataSource.setPassword(EncryptorUtils.decode(customEncryptProperties.getSecretKey(),password));
System.out.println("--------------------------------------------------------------------------------------");
String url = dataSourceProperties.getUrl();
druidDataSource.setUrl(EncryptorUtils.decode(customEncryptProperties.getSecretKey(),url));
System.out.println("--------------------------------------------------------------------------------------");
}
}
return bean;
}
}
3. Modify the content information of the database configuration file
a, modify password
Replace the password with an encrypted password generated by a custom encryption tool class
password: ${DATASOURCE_PWD:fb31cdd78a5fa2c43f530b849f1135e7}b, specify the key and enable the encryption function
custom:
encrypt:
enabled: true
secret-key: 2f8ba810011e0973728afa3f28a0ecb6ps: Similarly, the secret-key is best not to be directly exposed in the configuration file, it can be specified with -Dcustom.encrypt.secret-key
Appendix: complete database configuration
spring:
datasource:
type: com.alibaba.druid.pool.DruidDataSource
driverClassName: com.mysql.cj.jdbc.Driver
url: ${DATASOURCE_URL:dcb268cf3a2626381d2bc5c96f94fb3d7f99352e0e392362cb818a321b0ca61f3a8dad3aeb084242b745c61a1d3dc244ed1484bf745c858c44560dde10e60e90ac65f77ce2926676df7af6b35aefd2bb984ff9a868f1f9052ee9cae5572fa015b66a602f32df39fb1bbc36e04cc0f148e4d610a3e5d54f2eb7c57e4729c9d7b4}
username: ${DATASOURCE_USERNAME:61db3bf3c6d3fe3ce87549c1af1e9061}
password: ${DATASOURCE_PWD:fb31cdd78a5fa2c43f530b849f1135e7}
druid:
# 初始连接数
initialSize: 5
# 最小连接池数量
minIdle: 10
# 最大连接池数量
maxActive: 20
# 配置获取连接等待超时的时间
maxWait: 60000
# 配置间隔多久才进行一次检测,检测需要关闭的空闲连接,单位是毫秒
timeBetweenEvictionRunsMillis: 60000
# 配置一个连接在池中最小生存的时间,单位是毫秒
minEvictableIdleTimeMillis: 300000
# 配置一个连接在池中最大生存的时间,单位是毫秒
maxEvictableIdleTimeMillis: 900000
# 配置检测连接是否有效
validationQuery: SELECT 1 FROM DUAL
testWhileIdle: true
testOnBorrow: false
testOnReturn: false
webStatFilter:
enabled: true
statViewServlet:
enabled: true
# 设置白名单,不填则允许所有访问
allow:
url-pattern: /druid/*
# 控制台管理用户名和密码
login-username:
login-password:
filter:
stat:
enabled: true
# 慢SQL记录
log-slow-sql: true
slow-sql-millis: 1000
merge-sql: true
wall:
config:
multi-statement-allow: true
custom:
encrypt:
enabled: true
secret-key: 2f8ba810011e0973728afa3f28a0ecb6to sum up
For the above three schemes, I personally recommend using jasypt, because it can not only encrypt passwords, but also encrypt other content. And druid can only encrypt the database password. As for the custom solution, it is a practice. After all, what you already have in open source, don't make your own wheels anymore.
Finally, there is another point to note that if jasypt is higher than version 2, and lower than 3.0.3, it will cause the configuration center, such as apollo or nacos, to fail the dynamic refresh configuration (the latest version of 3.0.3 officially says that this has been fixed. problem).
If you use the configuration center, jasypt recommends to use version 3 or less, or use version 3.0.3
demo link
https://github.com/lyb-geek/springboot-learning/tree/master/springboot-datasouce-encrypt
java
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。