Securing Sensitive Data in Spring Boot with application.properties and Launch Files

Source: Securing Sensitive Data in Spring Boot with application.properties and Launch Files

1. Understanding the Problem

Spring Boot applications rely on application.properties or application.yml files to define environment-specific settings. These files might be bundled in deployment packages or referenced in launch files for runtime execution.

1.1 Why Is This a Problem?

When sensitive data like database credentials or API keys is embedded directly in these files, the following risks emerge:

Version Control Exposure: Files containing sensitive information might inadvertently be committed to Git.
Insider Threats: Anyone with access to deployment packages could misuse the secrets.
Runtime Vulnerabilities: Plain text configurations are exposed if the application logs them.

1.2 What Are Launch Files?

Launch files, such as those used with Docker, Kubernetes, or custom scripts, often reference Spring Boot configuration files. These files specify runtime parameters, including environment variables or arguments, and act as a bridge between the application and its deployment environment. A misstep in launch file design can inadvertently expose sensitive data during runtime.

2. Securing Sensitive Data in Spring Boot Configuration

Let’s tackle the challenge by implementing robust methods to safeguard sensitive data.

2.1 Externalizing Configuration with Environment Variables

Environment variables offer a straightforward approach to keep sensitive data out of configuration files.

Example: Using Environment Variables in application.properties:

# application.properties
spring.datasource.url=jdbc:mysql://localhost:3306/mydb
spring.datasource.username=${DB_USERNAME}
spring.datasource.password=${DB_PASSWORD}

Set the environment variables securely in your launch file or system shell:

Linux/macOS:

export DB_USERNAME=myuser
export DB_PASSWORD=securepassword

Windows (PowerShell):

$env:DB_USERNAME="myuser"
$env:DB_PASSWORD="securepassword"

Advantages:

Secrets are managed outside the codebase.
You avoid hardcoding sensitive data in your repository.

Launch File Integration: For Docker Compose:

services:
  app:
    environment:
      - DB_USERNAME=myuser
      - DB_PASSWORD=securepassword

2.2 Using Encrypted Properties with Jasypt

Jasypt provides an elegant solution to encrypt sensitive data directly in application.properties while allowing runtime decryption.

Step 1: Add Jasypt Dependency Include the following dependency in your pom.xml:

<dependency>
    <groupId>com.github.ulisesbocchio</groupId>
    <artifactId>jasypt-spring-boot-starter</artifactId>
    <version>3.0.4</version>
</dependency>

Step 2: Encrypt Sensitive Data Encrypt your password using the Jasypt CLI:

java -cp jasypt-1.9.2.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI 
  input="securepassword" password="encryptionKey" algorithm=PBEWithMD5AndDES

Encrypted output:

ENC(nj+ksjC6/FK9lVZVXFo28g==)

Step 3: Use the Encrypted Value Update application.properties:

spring.datasource.password=ENC(nj+ksjC6/FK9lVZVXFo28g==)

Step 4: Set the Decryption Key Provide the decryption key as an environment variable in the launch file:

export JASYPT_ENCRYPTOR_PASSWORD=encryptionKey

How It Works: At runtime, Jasypt decrypts the encrypted value using the specified key.

Launch File Integration: For Kubernetes:

apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
      - name: app
        env:
        - name: JASYPT_ENCRYPTOR_PASSWORD
          value: "encryptionKey"

2.3 Masking Sensitive Data in Logs

Even with encrypted properties or environment variables, sensitive data can still accidentally appear in logs during debugging or error reporting. Spring Boot provides mechanisms to control this.

Example: Masking Sensitive Data In your application.properties, specify keys to mask:

management.endpoint.env.keys-to-sanitize=PASSWORD,SECRET,KEY

What This Does:

Prevents sensitive values from being logged in plain text.
Replaces values with ** in log output.

3. Implementing Best Practices in Launch Files

When integrating Spring Boot configuration into launch files, follow these best practices:

3.1 Avoid Hardcoding Secrets

Never embed sensitive data directly in launch files. Instead, reference secure storage mechanisms, such as:

Environment variables.
Secret management tools like AWS Secrets Manager or HashiCorp Vault.

3.2 Secure Access to Launch Files

Restrict file permissions to minimize exposure:

chmod 600 launch.sh

3.3 Use Role-Based Access Control

Ensure only authorized personnel can modify or execute launch files.

4. Conclusion

Securing sensitive data in Spring Boot configurations and launch files is critical for safeguarding your application and user trust. Whether leveraging environment variables, Jasypt encryption, or secure logging practices, these techniques form a solid foundation for protecting sensitive information.

Remember, the real-world impact of a security breach can be devastating, so implementing these measures today could save you significant trouble tomorrow. If you have any questions or need further clarification, feel free to comment below!