Shulou(Shulou.com)06/03 Report--

Sensitive configuration information in the project generally needs to be encrypted, such as database password. Spring Boot does not provide encryption support and cannot encrypt configuration file information. Custom Environment and Spring Cloud Vault solutions are provided in the official documents. Using jasypt-spring-boot is another option.

Spring Cloud Vault is a client of HashiCorp Vault, which supports access to data stored in HashiCorp Vault and avoids storing sensitive data in Spring Boot programs.

This article describes in detail how to use jasypt-spring-boot, Spring Cloud Vault and HashiCorp Vault, and how to use Vault's AWS Secret, Database Secret, AWS EC2 authentication and AWS IAM authentication.

Custom Environment implements the encryption and decryption method by itself, and uses ciphertext in the configuration file, such as: spring: datasource: password: a3Ehaf0f/S1Rt6JfOGfQ+w==jwt: secret: a3Ehaf0f Universe S1Rt6JfOGfQencrypted = to implement EnvironmentPostProcessor, where the decryption operation is performed. A simple example is as follows: package org.itrunner.heroes.config;import org.springframework.boot.SpringApplication;import org.springframework.boot.env.EnvironmentPostProcessor;import org.springframework.boot.env.OriginTrackedMapPropertySource;import org.springframework.boot.env.YamlPropertySourceLoader;import org.springframework.core.env.ConfigurableEnvironment Import org.springframework.core.env.MapPropertySource;import org.springframework.core.env.PropertySource;import org.springframework.core.io.ClassPathResource;import org.springframework.core.io.Resource;import java.io.IOException;import java.util.Map;public class DecryptedEnvironmentPostProcessor implements EnvironmentPostProcessor {private final YamlPropertySourceLoader loader = new YamlPropertySourceLoader (); @ Override public void postProcessEnvironment (ConfigurableEnvironment environment, SpringApplication application) {Resource path = new ClassPathResource ("config.yml"); PropertySource propertySource = loadYaml (path) Environment.getPropertySources (). AddLast (propertySource);} private PropertySource loadYaml (Resource path) {if (! path.exists ()) {throw new IllegalArgumentException ("Resource" + path + "does not exist");} try {OriginTrackedMapPropertySource propertySource = (OriginTrackedMapPropertySource) loader.load ("custom-resource", path) .get (0); return new DecryptedMapPropertySource (propertySource) } catch (IOException ex) {throw new IllegalStateException ("Failed to load yaml configuration from" + path, ex);}} private static class DecryptedMapPropertySource extends MapPropertySource {public DecryptedMapPropertySource (OriginTrackedMapPropertySource propertySource) {super (propertySource.getName (), propertySource.getSource ());} @ Override public Object getProperty (String name) {Object value = super.getProperty (name) If (value instanceof CharSequence) {/ / performs decryption and returns plaintext return "DecryptedValue";} return value;}

Custom EnvironmentPostProcessor needs to be registered in META-INF/spring.factories:

Org.springframework.boot.env.EnvironmentPostProcessor=org.itrunner.heroes.config.DecryptedEnvironmentPostProcessorJasypt Spring Boot integrated jasypt-spring-boot

There are three ways to integrate jasypt-spring-boot:

If @ SpringBootApplication or @ EnableAutoConfiguration is used in the project, simply adding jasypt-spring-boot-starter to classpath will enable the encryption attribute com.github.ulisesbocchio jasypt-spring-boot-starter 2.1.0 to add jasypt-spring-boot to classpath throughout the Spring environment Adding @ EnableEncryptableProperties to main Configuration class enables the encryption attribute com.github.ulisesbocchio jasypt-spring-boot 2.1.0@Configuration@EnableEncryptablePropertiespublic class MyApplication {...} to add jasypt-spring-boot to classpath throughout the Spring environment, using @ EncrytablePropertySource to declare encrypted properties or the YAML file @ Configuration@EncryptablePropertySource (name = "EncryptedProperties", value = "classpath:encrypted.properties") public class MyApplication {.}

Or use @ EncryptablePropertySources:

@ Configuration@EncryptablePropertySources ({@ EncryptablePropertySource ("classpath:encrypted.properties"), @ EncryptablePropertySource ("file:/path/to/encrypted2.properties")}) public class MyApplication {....} encryption configuration KeyRequiredDefault Valuejasypt.encryptor.passwordTrue-jasypt.encryptor.algorithmFalsePBEWithMD5AndDESjasypt.encryptor.beanFalsejasyptStringEncryptorjasypt.encryptor.keyObtentionIterationsFalse1000jasypt.encryptor.poolSizeFalse1jasypt.encryptor.providerNameFalsenulljasypt.encryptor.saltGeneratorClassnameFalseorg.jasypt.salt.RandomSaltGeneratorjasypt.encryptor.stringOutputTypeFalsebase64jasypt.encryptor.proxyPropertySourcesFalsefalsejasypt.encryptor.property.prefixFalseENC (jasypt.encryptor.property.suffixFalse)

By default, the encryption algorithm is PBEWithMD5AndDES, the encryption and decryption bean name is jasyptStringEncryptor, and the encrypted data needs to be wrapped with ENC ().

All of these properties can be declared in the configuration file, but the encrypted password should not be stored in the configuration file, but should be passed in using system properties and command line arguments, as long as the name is jasypt.encryptor.password:

Java-jar jasypt-spring-boot-demo.jar-- jasypt.encryptor.password=password or java-Djasypt.encryptor.password=password-jar jasypt-spring-boot-demo.jar

You can also use environment variables in application.properties or application.yml:

Jasypt.encryptor.password=$ {JASYPT_ENCRYPTOR_PASSWORD:}

Example of a profile:

Spring: jpa: database-platform: org.hibernate.dialect.PostgreSQLDialect hibernate: ddl-auto: update properties: hibernate: default_schema: heroes format_sql: true jdbc: lob: non_contextual_creation: true show-sql: true datasource: platform: postgresql driver-class-name: org.postgresql.Driver url: jdbc:postgresql://localhost:5432/postgres username : hero password: ENC (a3Ehaf0f Universe S1Rt6JfOGfQ encrypted data =) initialization-mode: neverjasypt: encryptor: algorithm: PBEWithMD5AndDES password: 1qefhQH7mRR4LADVettR stringOutputType: base64 property: prefix: ENC (suffix:) generate encrypted data

Use the CLI tool JasyptPBEStringEncryptionCLI to generate encrypted data as follows:

Java-cp jasypt-1.9.2.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input= "inputdata" password=secretkey algorithm=PBEWithMD5AndDES

After execution, the output is as follows:

-ENVIRONMENT-Runtime: Oracle Corporation Java HotSpot (TM) 64-Bit Server VM 25.191-b12-ARGUMENTS-algorithm: PBEWithMD5AndDESinput: heropassword: 1qefhQH7mR4LADVettRKUTUT-ENVIRONMENT-Runtime: Oracle Corporation Java HotSpot (TM)

After generation, use ENC (ciphertext) to replace plaintext data.

HashiCorp Vault

HashiCorp Vault provides services for centralized management of secrets (Secret) and protection of sensitive data, which can be accessed through UI, CLI, or HTTP API. HashiCorp Vault is written in go language.

First acquaintance with HashiCorp Vault installation HashiCorp Vault

Download HashiCorp Vault based on your system, and then extract the zip package, which is an executable.

Take linux system as an example:

$unzip vault_1.0.2_linux_amd64.zip$ sudo chown root:root vault$ sudo chmod 755 vault$ sudo mv vault / usr/local/bin/$ vault-- version

Help

Run vault directly to see the supported commands:

$vaultUsage: vault [args] Common commands: read Read data and retrieves secrets write Write data, configuration And secrets delete Delete secrets and configuration list List data or secrets login Authenticate locally agent Start a Vault agent server Start a Vault server status Print seal and HA status unwrap Unwrap a wrapped secretOther commands: audit Interact with audit devices auth Interact with auth methods kv Interact with Vault's Key-Value storage lease Interact with leases namespace Interact with namespaces operator Perform operator-specific tasks path-help Retrieve API help for paths plugin Interact with Vault plugins and catalog policy Interact with policies secrets Interact with secrets engines ssh Initiate an SSH session token Interact with tokens

Run vault [command] [subcommand]-h to view the parameters supported by the command.

Path-help looks at the configuration supported by the system, Secret engine, authentication method and other paths, which is often used in practical applications. For example:

$vault path-help sys/$ vault path-help database/$ vault path-help database/roles$ vault path-help aws/$ vault path-help auth/token/$ vault path-help auth/aws/

Description: the appropriate feature must be enabled to view the path.

Automatic completion

Under linux, Vault supports automatic completion of commands. Entering vault [tab] after installation will display command prompts. You need to execute the following command to install:

$vault-autocomplete-install$ exec $SHELL

After installation, the following contents will be added to ~ / .bashrc:

Complete-C / usr/local/bin/vault vault

Start Vault in dev mode

Starting in dev mode does not require any configuration, and the data is saved in memory.

$vault server-dev

The console output is as follows:

= > Vault server configuration: Api Address: http://127.0.0.1:8200 Cgo: disabled Cluster Address: https://127.0.0.1:8201 Listener 1: tcp (addr: "127.0.0.1 Api Address 8200", cluster address: "127.0.0.1 Api Address 8201", max_request_duration: "1m30s", max_request_size: "33554432" Tls: "disabled") Log Level: (not set) Mlock: supported: true, enabled: false Storage: inmem Version: Vault v1.0.1 Version Sha: 08df121c8b9adcc2b8fd55fc8506c3f9714c7e61WARNING! Dev mode is enabled! In this mode, Vault runs entirely in-memoryand starts unsealed with a single unseal key. The root token is alreadyauthenticated to the CLI, so you can immediately begin using Vault.You may need to set the following environment variable: $export VAULT_ADDR=' http://127.0.0.1:8200'The unseal key and root token are displayed below in case you want toseal/unseal the Vault or re-authenticate.Unseal Key: xSahEjtRQMMwbyBW6+rIzE2RRJ4d8X7BmAyPsSk63yE=Root Token: s.5bnclu8POKx2WCxETB4u8RqFDevelopment mode should NOT be used in production installations!

Among them, Unseal Key and Root Token should be preserved. Starting Vault in dev mode has a state of unseal and does not require the use of Unseal Key to unencapsulate the server. Root Token is required to access Vault. It is recommended that you save the Vault server address to the environment variable VAULT_ADDR, otherwise you need to specify the-address parameter when using the command line to access vault.

View Vault Server status:

$vault status-address= http://127.0.0.1:8200

Description:-address defaults to https://127.0.0.1:8200

Log in to Vault

Log in to Vault from the browser and enter http://localhost:8200 in the address bar:

Enter "Root Token" in the Token text box to enter the Vault main interface:

Log in to Vault from the command line:

$vault login-method=token-address= http://127.0.0.1:8200Token (will be hidden): Success! You are now authenticated. The token information displayed belowis already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token.Key Value----token s.1Pv48heTmZhXjm0bBd84Mueftoken_accessor 3gfMlTXFPHX3ehMQzkJUrk3otoken_duration ∞ token_renewable falsetoken_policies ["root"] identity_policies [] policies ["root"] authentication method

Vault supports multiple login authentication methods, and token is enabled by default.

View the enabled authentication method from the command line:

$vault auth listPath Type Accessor Description-----token/ token auth_token_cd421269 token based credentialsSecret engine

Vault supports a variety of Secret engines, some engines just store and read data, such as kv; some engines connect to other services and generate dynamic credentials as needed, such as AWS, database; some engines provide encryption services (such as transit), certificate generation (such as pki) and so on. The kv (Key-Value) and cubbyhole engines are enabled by default.

View the enabled Secret engine from the command line:

$vault secrets listPath Type Accessor Description-----cubbyhole/ cubbyhole cubbyhole_835f8a75 per-token private secret storageidentity/ identity identity_0ba84c63 identity storesecret/ kv kv_9558dfb7 key/value secret storagesys/ System system_5f7114e7 system endpoints used for control Policy and debugging

We create a secret under the kv engine secret for later testing, as follows:

You can also use the command line:

$vault kv put secret/heroes-api hello=coco

Query secret:

$vault kv get secret/heroes-api deployment HashiCorp Vault

Previously, you started Vault using dev mode, and then explained how to configure the real-world environment.

Configure Vault

To start Vault in non-dev mode, you must provide at least one configuration file, which is created as follows:

$sudo mkdir-- parents / etc/vault.d$ sudo touch / etc/vault.d/vault.hcl$ sudo chown-- recursive ec2-user:ec2-user / etc/vault.d$ sudo chmod 640 / etc/vault.d/vault.hcl

The configuration file supports HCL (HashiCorp Configuration Language) and JSON formats, and the vault.hcl content is as follows:

Ui = truestorage "file" {path = "/ usr/vault/data"} listener "tcp" {address = "0.0.0.0 path 8200" tls_cert_file = "/ etc/vault.d/cert.pem" tls_key_file = "/ etc/vault.d/privkey.pem"} api_addr = "https://10.188.12.119:8200"

Parameters:

Whether UI is enabled for ui. The default is falsestorage physical storage. The following types are supported: azure, cassandra, cockroachdb, consul, couchdb, dynamodb, etcd, file, foundationdb, spanner, gcs, inmem, manta, mssql, mysql, postgresql, S3, swift, zookeeperlistener listeners. You can configure one or more api_addr to be used in a cluster environment and specify URL to be published to other vault servers in the cluster for client redirection. It can also be set through the environment variable VAULT_API_ADDR

Generate a self-signed certificate:

$openssl genrsa-out privkey.pem$ openssl req-x509-new-key privkey.pem-out cert.pem-days 365-subj / C=CN/ST=Beijing/L=Beijing/CN=vault.itrunner.org/OU=itrunner/O=itrunner/emailAddress=sjc-925@163.com

You need to configure the environment variable VAULT_CACERT when using a self-signed certificate:

$export VAULT_CACERT='/etc/vault.d/cert.pem'

When Spring Cloud Vault accesses Vault through HTTPS protocol, configure the client certificate and execute the following command to import cert.pem into keystore:

$keytool-importcert-keystore keystore.jks-file cert.pem-noprompt-storepass changeit-alias heroes Test start Vault

Authorize vault to use mlock syscall before starting:

$sudo setcap cap_ipc_lock=+ep / usr/local/bin/vault

Otherwise, the following error is displayed:

Error initializing core: Failed to lock memory: cannot allocate memoryThis usually means that the mlock syscall is not available.Vault uses mlock to prevent memory from being swapped todisk. This requires root privileges as well as a machinethat supports mlock. Please enable mlock on your system ordisable Vault from using it. To disable Vault from using it,set the `disable_ mlock` configuration option in your configurationfile.

Start Vault:

$vault server-config=/etc/vault.d/vault.hcl configure Vault service

Kill drop the above vault process and configure vault to serve the system.

Create a vault.service:

$sudo touch / etc/systemd/system/vault.service

The contents are as follows:

[Unit] Description= "HashiCorp Vault-A tool for managing secrets" Documentation= https://www.vaultproject.io/docs/Requires=network-online.targetAfter=network-online.targetConditionFileNotEmpty=/etc/vault.d/vault.hcl[Service]User=ec2-userGroup=ec2-userSecureBits=keep-capsAmbientCapabilities=CAP_IPC_LOCKCapabilities=CAP_IPC_LOCK+epCapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCKExecStart=/usr/local/bin/vault server-config=/etc/vault.d/vault.hclExecReload=/bin/kill-- signal HUP $MAINPIDKillMode=processKillSignal=SIGINTRestart=on-failureRestartSec=5TimeoutStopSec=30StartLimitIntervalSec=60StartLimitBurst=3 [Install] WantedBy=multi-user.target

Start Vault:

$sudo systemctl enable vault$ sudo systemctl start vault$ sudo systemctl status vault initializes Vault

Initialization needs to be performed after starting vault for the first time.

$vault operator init

After initialization, encrypted key, unseal key and Initial Root Token are generated, and the data should be stored in a secure place.

Unseal Key 1: 1OlGbwCZ/y4IeULDGWdi1x3I4weOil8sWanlZ5M3gUN8Unseal Key 2: LwILr0IuyKLwpooN8d7C6mQPr/AuzqzMq20RhKQlw8gRUnseal Key 3: OMr0B1n4ugZErUWzwsoA3rFZw3v3nsJM5oQWocgr9SYoUnseal Key 4: a1m2Wbz+tlv1e7cTsidXKa1Yt/DTbzaFJlza2s/khUauUnseal Key 5: ZuL66Av5SOH9gYLii2VHec6CcWUktXk99qabWfcSAF9HInitial Root Token: s.1Pv48heTmZhXjm0bBd84MuefVault initialized with 5 key shares and a key threshold of 3. Please securelydistribute the key shares printed above. When the Vault is re-sealed,restarted, or stopped, you must supply at least 3 of these keys to unseal itbefore it can start servicing requests.Vault does not store the generated master key. Without at least 3 key toreconstruct the master key, Vault will remain permanently sealed!It is possible to generate new unseal keys, provided you have a quorum ofexisting unseal keys shares. See "vault operator rekey" for more information.Seal/Unseal

After initialization, the Vault Server is sealed and cannot be read because it does not know how to decrypt the stored data. "Vault initialized with 5 key shares and a key threshold of 3" is included in the initialization output, which means that 3 of the 5 key are needed to unblock. Execute the unblocking command as follows:

$vault operator unseal

Select 3 key and execute the above command 3 times until the Sealed status is false:

Unseal Key (will be hidden): Key Value----Seal Type shamirInitialized trueSealed falseTotal Shares 5Threshold 3Version 1.0.1Cluster Name vault-cluster-654a8704Cluster ID 91e5ea90-1a78-45c8-36f6-99a0ba7b5eecHA Enabled false login to Vault

Log in to Vault using Initial Root Token:

$vault login s.1Pv48heTmZhXjm0bBd84Muef

After a successful login, the following result is output:

Success! You are now authenticated. The token information displayed belowis already stored in the token helper. You do NOT need to run "vault login" again. Future Vault requests will automatically use this token.Key Value----token s.1Pv48heTmZhXjm0bBd84Mueftoken_accessor 3gfMlTXFPHX3ehMQzkJUrk3otoken_duration ∞ token_renewable falsetoken_policies ["root"] identity_policies [] policies ["root"]

Root users can re-seal Vault:

$vault operator seal

Vault supports cluster deployment. For more information, please see the official documentation.

Token and Policy management

Root Token has the highest permissions, and best practices should not store the Root Token, but only generate it using the vault operator generate-root command when necessary, and undo the token after use.

Undo token

$vault token revoke-self

Generate Root Token

Initialize Root Token Generate one-time password (OTP), Nonce$ vault operator generate-root-initA One-Time-Password has been generated for you and is shown in the OTP field.You will need this value to decode the resulting root token So keep it safe.Nonce 94e81220-dc59-16c5-1f08-180551cfa158Started trueProgress 0/3Complete falseOTP kVpqIjLf7BZQgNUbEBAuQPikRkOTP Length 26 generate Root Token$ vault operator generate-rootOperation nonce: 94e81220-dc59-16c5-1f08-180551cfa158Unseal Key (will be hidden): Nonce 94e81220-dc59-16c5-1f08-180551cfa158Started trueProgress 1/3Complete false

You need to enter Unseal Key 3 times. If you succeed, you will output Encoded Token:

Encoded Token GHhHHBovfg9dEQAiASNhFiEFMT0DOjw+Gx4 Decoding Token$ vault operator generate-root-decode=GHhHHBovfg9dEQAiASNhFiEFMT0DOjw+Gx4-otp=kVpqIjLf7BZQgNUbEBAuQPikRk

Create Token, set valid time, and do not specify policy

$vault token create-ttl 10mKey Value----token s.8DibgV8wlTJq3ygtcfK4ne2Ktoken_accessor NuElYtSnxF51JXli3LC6XKHMtoken_duration 10mtoken_renewable truetoken_policies ["root"] identity_policies [] policies ["root"]

The new token is the child token of the currently used token, and the permissions are inherited from the currently used token.

After expiration, renew token:

Vault token renew s.8DibgV8wlTJq3ygtcfK4ne2K

Create Token and specify Policy

Policy has the following permissions:

# This section grants all access on "secret/*". Further restrictions can be# applied to this broad policy, as shown below.path "secret/*" {capabilities = ["create", "read", "update", "delete", "list"]} # Even though we allowed secret/*, this line explicitly denies# secret/super-secret. This takes precedence.path "secret/super-secret" {capabilities = ["deny"]}

Create a policy file that only allows reading the path secret/heroes-api:

$vi heroes-policy.hcl

The contents are as follows:

Path "secret/heroes-api" {capabilities = ["read"]}

Upload strategy:

$vault policy write heroes heroes-policy.hcl

Create a Token with the new policy:

$vault token create-policy=heroesKey Value----token s.1bJDHR7VuSaHfquqmoQREioAtoken_accessor FGufmiTSqWcEaiZAg9nuLkvxtoken_duration 768htoken_renewable truetoken_policies ["default"heroes"] identity_policies [] policies ["default"heroes"]

The default duration is 768hdepartment policy is "default"heroes".

Log in with the new token and view the secret:

$vault login s.1bJDHR7VuSaHfquqmoQREIOA $vault kv get secret/heroes-apiAWS Secret engine

Using the AWS Secret engine, new AWS users and login credentials (access keys) are created for each visit, and Vault does not store credentials.

Enable the AWS Secret engine $vault secrets enable awsSuccess! Enabled the aws secrets engine at: aws/ configure AWS account $vault write aws/config/root access_key=VKIAJBRHKH6EVTTNXDHA secret_key=vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj region=cn-north-1Success! Data written to: aws/config/root

Description, you can use the vault path-help command to view the path configuration:

$vault path-help aws/ create Role

Configure the role of the AWS user created by Vault:

$vault write aws/roles/my-role\ credential_type=iam_user\ policy_document=-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.