How to protect username and pass of DataSource in Spring Boot?

0
votes

I have developed some Spring Boot Project and I have initiated my database connection by using spring.datasource.username and spring.datasource.password in application.properties

I have tried to use jasypt to encrypt these properties but I think this is not a good way because I still need to store jasypt.encryptor.password which is not encrypted in application.properties.

I am having difficulties finding the solutions because the results from Internet just mention jasypt.

Are there any better way to protect username and pass for Spring Boot?

2
spring-bootspring-securityspring-dataspring-batchspring-cloud-dataflow
Protect where? In properties file or in network connection to the database? - Eugene Kortov
I am finding the way to protect (encrypt) username and pass in properties file. - Zach Pham
Where are you running your application? AWS? GCP? Azure? - luboskrnac
I deployed my project on the linux service. I do not have enough condition to use Web Services - Zach Pham

2 Answers

1
votes

Definitely you should not keep that sensitive data in properties file.

You should keep those data in vault.

Some of the vault providers :

Then you should use spring config server token based security to get sensitive data out of sensitive storages such as vault.

Refer this for integration example of such use case with spring config server. here.

0
votes

An additional solution would be to use something like Ansible Vault to store sensitive data within your repository and then set those secrets as environment variables during deployment. Your properties files look for environment variables to set as the values. You would need to store the password to the vault file, but Ansible Vault has ways to use a local file (not tracked in source!) for storing the vault password.

A lot of this is taken from 12 Factor App ideas where you use the environment variables as the means to change the configuration.

I hope that helps!