encryption in spring-cloud-config-server

Question

I'm trying to run spring-cloud-config-server with an encrypted property in application.yml.

---

server:
  port: 8888  

spring:
  cloud:
    config:
      server:
        git:
          uri: file:/Users/gadams/git/cs-config

encrypt:
  key-store:
    location: classpath:/config-server.jks
    password: password
    alias: alias
    secret: secret

security:
  user:
    password: '{cipher}encryptedPassword'

I get the following error on startup:

java.lang.IllegalStateException: Cannot decrypt: key=security.user.password
    at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:201) ~[spring-cloud-context-1.1.6.RELEASE.jar:1.1.6.RELEASE]
    at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:165) ~[spring-cloud-context-1.1.6.RELEASE.jar:1.1.6.RELEASE]
    at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:95) ~[spring-cloud-context-1.1.6.RELEASE.jar:1.1.6.RELEASE]
    at org.springframework.cloud.bootstrap.BootstrapApplicationListener$DelegatingEnvironmentDecryptApplicationInitializer.initialize(BootstrapApplicationListener.java:333) ~[spring-cloud-context-1.1.6.RELEASE.jar:1.1.6.RELEASE]
    at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:635) [spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
    at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:349) [spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:313) [spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1186) [spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1175) [spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
    at com.collegescheduler.ConfigServerApplication.main(ConfigServerApplication.java:12) [bin/:na]
Caused by: java.lang.UnsupportedOperationException: No decryption for FailsafeTextEncryptor. Did you configure the keystore correctly?
    at org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$FailsafeTextEncryptor.decrypt(EncryptionBootstrapConfiguration.java:152) ~[spring-cloud-context-1.1.6.RELEASE.jar:1.1.6.RELEASE]
    at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:193) ~[spring-cloud-context-1.1.6.RELEASE.jar:1.1.6.RELEASE]
    ... 9 common frames omitted

I'm using org.springframework.cloud:spring-cloud-dependencies:Camden.SR3. How should one go about encrypting the spring-security user password in the config server?

Answer 1

It's something wrong in your keystore configuration from log.

Use keytool to verify the pass/secret/alias of your key store firstly.

Answer 2

Did you respect the prerequisites?

Prerequisites: to use the encryption and decryption features you need the full-strength JCE installed in your JVM (it’s not there by default). You can download the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" from Oracle, and follow instructions for installation (essentially replace the 2 policy files in the JRE lib/security directory with the ones that you downloaded).

You should also have in your pom.xml:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-rsa</artifactId>
</dependency>