Versions Compared

Old Version 6

changes.mady.by.user Munish Mahabiersing

Saved on

compared with

New Version Current

changes.mady.by.user Thomas Jan van Leeuwen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Property Encryption

...

For the new property encryption mechanism, a password is required. This password serves as the secret key that is used for encryption. We recommend that you use a strong password.

...

Code Block
languagetext
titleapplication.properties
blueriq.properties.encryption.password: = 190f704dcab801253434864b03d498be04e7cb7407063eb5df41101e313ea32f

...

  • The application decrypts properties at startup. If decryption fails, the application will not start. Usual causes are that no password is configured or that the encryption password was not the password that the property was encrypted with.
  • Contrary to the old mechanism, any property can be encrypted.

Document Renderer Service

The Document Renderer Service has the same mechanism for encrypting any property value.

The best practice for configuring the password is to set it as an environment variable like this:

Code Block
titleEnvironment Variable
BLUERIQ__PROPERTIES__ENCRYPTION__PASSWORD=190f704dcab801253434864b03d498be04e7cb7407063eb5df41101e313ea32f

Or to pass it as a runtime argument on startup like this:

Code Block
titleRuntime argument
--blueriq:properties:encryption:password=190f704dcab801253434864b03d498be04e7cb7407063eb5df41101e313ea32f

Technically you can also set it normally as a property in the .yml file, but this is not recommended as it defeats the purpose of encrypting your properties when the password is there in the same file.

Encrypting passwords with the Blueriq Encryptor

...

Afterwards it is possible to enter a new value to be encrypted. Exit the application with Ctrl-C or leave the input blank.Please refer to Legacy property encryption for the old encryption mechanism.

Encryption algorithm

The encryption uses the following parameters:

  • AES encryption in CBC mode with PKCS#5 padding with 256 bit key.
  • Key Derivation Function: PBKDF2 (Password-Based Encryption Key Derivation Function 2) with SHA-512 hashes and AES-256 encryption
  • Random salt when encryption the property
  • A random input vector when encrypting the property
  • 1000 hashing iterations

...

  • hash function and 1000 iterations.
  • Using a random 16 bit salt.
  • Using a random 16 bit initialization vector.

The Document Renderer Service assumes this algorithm is used and currently supports no other means for encryption!

Customizing property encryption

The property encryption mechanism uses sensible defaults. If you want to customize the way your properties are encrypted/decrypted, you can add an org.jasypt.encryption.pbe.PBEStringEncryptor bean to your project. You can reference this bean by setting this property:

Code Block
languagetext
titleapplication.properties
jasypt.encryptor.bean = <name_of_the_custom_bean>

...

Info
titleBlueriq Encryptor

You have to provide your own encryptor application. Blueriq Encryptor only works for non-customized encryption.


Info
titleDocument Renderer Support

The Document Renderer Service currently has no support for custom decryption algorithms.