Closed elizabetht closed 8 years ago
I encrypted using the following command curl localhost:8888/encrypt -d SpringCloud
. Should I use curl localhost:8888/encrypt -d {key:mykeyalias}SpringCloud
instead for the key prefix to work?
Should I use
curl localhost:8888/encrypt -d {key:mykeyalias}SpringCloud
instead for the key prefix to work?
Yes. But the key:value placeholders are only supported on the server. It looks like you are trying to use it on the client to me.
Yes, I was placing the encrypted value foo.bar: '{cipher}{key:mytestkey}....'
on a client and decrypt it at run-time just like when I place foo.bar: '{cipher}...'
. The latter gets decrypted successfully but not the former!
@dsyer: So, how do we use encrypted values with key prefixes for key rotation and multiple keys on a config client? Any tips/ideas?
key:value placeholders are only supported on the server.
Decrypt on the server rather than the client?
@spencergibb: We want to have a model where the config server is not used and only the config client is used. The client does not contact the server for decrypting values. Once values are encrypted, the client decrypts it on the fly whenever it is used.
So the answer is: currently not possible.
Well, thanks!
We could turn that into a feature request if it's possible. @dsyer could key prefixes be implemented on the client?
I guess it's possible. Seems to me you'd be updating the clients often enough that you'd just install a new default key in its keystore. So there's no need for key:value extensions for the client. Please explain your scenario more if it is important.
@dsyer and @spencergibb : We want to have this option on the client so that if for some reason, the key that was used for encryption is compromised, we could load another key into the keystore and use the second key for encrypting properties. So, I want to explore this option of using a value encrypted with key1 and same value encrypted with key2 and see if the client could decrypt both the values
I don't yet see a compelling need for TextEncryptorLocator
in a client. You only ever need one key at a time. You can add a new key to the store and change one piece of configuration to point to the new key and you are done. Your workflow for changing a key is the same, but it involves an extra unnecessary abstraction.
I have the following property defined in my application.yml file where testkey is the alias of the key I created in keystore.jks file
I am able to decrypt the property on command line.
But when I reference foo.bar in my controller, it is not able to decrypt the property on tomcat startup. Following is the stack trace:
Could you please help on how we can place the 'key' in the cipher data? Also, how can I load multiple keystores to the spring cloud config?