Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to achieve encryption in the MySQL database, the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

How to encrypt it?

For the Java project, if you want to quickly achieve database encryption, the simplest and most feasible solution is to use the Druid provided by Alibaba to achieve encryption.

What is Druid?

Druid (translated into Chinese as a druid) is the best database connection pool in Alibaba's open source Java language. Druid provides powerful monitoring and extension functions, as well as database encryption.

Druid open source address: https://github.com/alibaba/druid/

What can Druid do?

Hongmeng official Strategic Cooperation to build HarmonyOS Technology Community

Druid can monitor database access performance, and Druid provides a powerful StatFilter plug-in built-in, which can count the execution performance of SQL in detail, which is helpful for online analysis of database access performance.

Replacing the database connection pool DBCP and C3P0PowerDruid provides an efficient, powerful and scalable database connection pool.

The database password is encrypted and the database password is written directly in the configuration file, which is a bad behavior and can easily lead to security problems. Both DruidDruiver and DruidDataSource support PasswordCallback.

SQL execution log, Druid provides different LogFilter, which can support Common-Logging, Log4j and JdkLog. You can select the corresponding LogFilter as needed to monitor the database access of your application.

Expand JDBC, if you want to have programming requirements for the JDBC layer, you can use the Filter-Chain mechanism provided by Druid to facilitate the preparation of JDBC layer extensions.

For this article, let's focus on its third feature, which uses Druid to encrypt database passwords.

Encryption execution process

Before password encryption, the interaction flow of the project is as follows:

After using password encryption, the interactive flow of the project becomes like this:

Using Druid to implement encryption

This example runs in the environment:

Spring Boot 2.4.3 MySQL 5.7 Java 1.8 Idea 2020.1.3

1. Add Druid dependency

Maven Project:

Com.alibaba druid-spring-boot-starter 1.2.5

Gradle Project:

Compile 'com.alibaba:druid-spring-boot-starter:1.2.5'

Get the latest version of Druid: https://mvnrepository.com/artifact/com.alibaba/druid-spring-boot-starter

two。 Generate ciphertext

After the Druid is added, you can use the ConfigTools class provided in Druid to encrypt the password. The implementation code is as follows:

Import com.alibaba.druid.filter.config.ConfigTools; class MyTests {public static void main (String [] args) throws Exception {/ / plaintext name String password = "youPassword" to be encrypted; / / [Note: change your own password here] / / call druid to generate private key, public key, ciphertext ConfigTools.main (new String [] {password});}}

The result of the above code execution is as follows:

PrivateKey:MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEApOjcMWSDzJiKVGmtcBBoQPtM9tVW2H2cnS6xZK7NrbzQXYWLQD2zefIrrx9vMvqRIHEqkmAHTuUcUXHgCxu0cwIDAQABAkAlqo5ItdWo0Jqf5zdXJlg5p2yP4HCiqCYyfKzF+2s9KEmgWZJWTctZDsgQ0iYUohORR59I+J4nabhel1x5/INpAiEA6jwSyFqMUPOh2XlrzNFek+RthOQ5n4+ALPo+vULayO0CIQC0O7JM9sIq+tg+jCGv+ypk6vbuRKY9m5W2rSRXapGm3wIgRHul3jAjIDPrF/f1HaAFL+Y0Yws7Ebyp8/yCRWF7iA0CIALbe20q8FMcHPeI4zPWCIsHCpkmb3hEkjAOOKhGIT8DAiAqiUuz92NqKeyjmOfons1ka65EzVwA3NDhZ6+IQcnuig== publicKey:MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKTo3DFkg8yYilRprXAQaED7TPbVVth9nJ0usWSuza280F2Fi0A9s3nyK68fbzL6kSBxKpJgB07lHFFx4AsbtHMCAwEAAQ== password:IMgKm27bOHok3/+5aDL4jGBoVVZkpicbbM6pIXQppi3dI7h4jngSAqhqwqYnfuYpyVJ0k++q9xWWnHtd6sAWnQ==

As can be seen from the above results, using the ConfigTools class generates three parts:

Hongmeng official Strategic Cooperation to build HarmonyOS Technology Community

PrivateKey: private key, which will not be used for the time being, is used for password encryption

PublicKey: public key for decryption of passwords

Password: the encrypted password.

PS: to encrypt the database, publicKey (public key) and password (ciphertext) are mainly used, which converts plaintext into ciphertext.

3. Add configuration

After completing the above operations, you only need to add the public key and ciphertext generated in the previous step to the configuration file application.yml (or application.xml) of the project to implement the encryption operation. The specific configuration information is as follows:

Spring: # MySQL configuration datasource: driver-class-name: com.mysql.cj.jdbc.Driver type: com.alibaba.druid.pool.DruidDataSource druid: url: jdbc:mysql://127.0.0.1:3306/testdb?serverTimezone=Asia/Shanghai&characterEncoding=UTF-8&useSSL=false username: root password: IMgKm27bOHok3/+5aDL4jGBoVVZkpicbbM6pIXQppi3dI7h4jngSAqhqwqYnfuYpyVJ0k++q9xWWnHtd6sAWnQ== # encrypt config filters: config connect-properties: config.decrypt: true config.decrypt.key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKTo3DFkg8yYilRprXAQaED7TPbVVth9nJ0usWSuza280F2Fi0A9s3nyK68fbzL6kSBxKpJgB07lHFFx4AsbtHMCAwEAAQ==

Password corresponds to the password (ciphertext) generated in the previous step, and config.decrypt.key corresponds to the publicKey (public key) generated in the previous step, as shown in the following figure:

An original configuration file is provided here to compare with the encrypted configuration file:

4. Note-Lock with key in it

After the previous three steps of configuration, our program can run normally, but this is far from over!

In step 3 of the configuration, we write both the ciphertext and the public key to the configuration file, so that when someone gets the ciphertext and public key, they can use Druid to restore the encrypted password, just as a lock with a key is extremely insecure.

So we use the posture correctly: find a safe place to save the public key, and dynamically set the public key to the project every time the project starts, which can effectively ensure the security of the password.

The correct configuration file

Next, we set the public key of Spring Boot as the configuration item, and then replace it with a specific value when the project is running. The final security configuration information is as follows:

Spring: # MySQL configuration datasource: driver-class-name: com.mysql.cj.jdbc.Driver type: com.alibaba.druid.pool.DruidDataSource druid: url: jdbc:mysql://127.0.0.1:3306/testdb?serverTimezone=Asia/Shanghai&characterEncoding=UTF-8&useSSL=false username: root password: IMgKm27bOHok3/+5aDL4jGBoVVZkpicbbM6pIXQppi3dI7h4jngSAqhqwqYnfuYpyVJ0k++q9xWWnHtd6sAWnQ== # encrypt config filters: config connect-properties: config.decrypt: true Config.decrypt.key: ${spring.datasource.druid.publickey}

You can see that the public key has been changed to "${spring.datasource.druid.publickey}", which is equivalent to using placeholders to occupy the pit first, and then changing the specific value when the project starts.

PS: "spring.datasource.druid.publickey" is not a fixed and immutable key, this key value can be defined by the user.

Development environment replaces public key

The development environment only needs to configure the value of the public key in the startup parameters of Idea, as shown in the following figure:

The program runs normally when we enter the correct public key value, and the decoding fails when we enter an incorrect public key value, as shown in the following figure:

Production environment replaces public key

The production environment only needs to set the value of the public key dynamically when starting the jar package. Refer to the following command:

Java-jar xxx.jar-- spring.datasource.druid.publickey= your public key

After the Druid operation principle has gone through the above steps, we have completed the encryption of the MySQL password, so that when the Spring Boot project starts, the Druid interceptor will use ciphertext and public key to restore the password to the real password for the project to use, of course, all this does not require human intervention (no need to write any code), Druid has sealed it for me, we only need to go through the above configuration.

What? You want to know how Druid restores the real password through ciphertext and public key?

No problem, to satisfy you. In fact, the corresponding implementation is provided in the ConfigTools class. The code is as follows:

/ / ciphertext String password = "VwH1mu2IUpqjfKTd+gSikiZgJTi+3Y5zFIFRfxYnH1UqHzm1K8TIHnMaV3TErBaGsVEaGV0e63pb0Ys3Wdm7Kg=="; / / Public key String publicKey = "MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALWIEp19IM04sB+vQXnEOH9gFNFdL5TFGSEhORgHj4MnfTfBSNaOoSgCaM8BOpjiHmwuEb7LpvmXI1x/ymUvNzECAwEAAQ=="; / / restore to the real password String result = ConfigTools.decrypt (publicKey, password); System.out.println ("final result:" + result); on how to achieve encryption in the MySQL database is shared here. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.