search

edp963 / davinci

Davinci is a DVsaaS (Data Visualization as a Service) Platform
https://edp963.github.io/davinci
Apache License 2.0
4.91k stars 1.82k forks source link

Applicaiton.yml password security #1837

Open WhatAKitty opened 4 years ago

WhatAKitty commented 4 years ago

We should encrypt the password in application.yml instead of plain text. e.g. spring.mail.password.

scottsut commented 4 years ago

We probably won't force users to encrypt sensitive information, which will prevent users without encryption ability from using Davinci. If we provide a decryption interface so that users can decrypt the configuration content by themselves, but need to write code, what do you think of this way?

WhatAKitty commented 4 years ago

Emmmm....how about jasypt-spring-boot, the user who want to encrpt or decrypt the password in yml only need to run a command like below:

To encrypt placeholders in src/main/resources/application.properties, simply wrap any string with DEC(...). For example: sensitive.password=DEC(secret value) regular.property=example Then run:

mvn jasypt:encrypt -Djasypt.encryptor.password="the password" Which would edit that file in place resulting in:

sensitive.password=ENC(encrypted) regular.property=example The file name and location can be customised.

scottsut commented 4 years ago

👌 Thanks for the suggestion, we will consider it.