Open armtumanyan opened 1 year ago
I’m confused, change on any secret… encryption key or encrypted secret will require you to change the values in the property files…
@ulisesbocchio Let me rephrase my problem.
We are using Jasypt to keep the data encrypted in the DB (Hibernate). So we set a password let's say 123, and we have 10 records in the DB with encrypted value through Jasypt. Now, I want to change the password from 123 to 234, but the existing records in the DB were encrypted with the password 123, correct? So my question was, is there any possibility for password rotation without touching already encrypted values in the DB, or do we need to write a job or so which will do the rest? e.g. get the encrypted data form the DB using an old password, encrypt with a new password, and put back. Hope I was clear now, thanks!
Ah, the answer is yes, but not for free :) You'd have to implement depending on the level of sophistication needed either a:
Or all of the above....
the fastest way is probably defining custom composite StringEncryptor
, this string encryptor would be bootstrapped from multiple keyed
string encryptors. For instance:
jasypt:
encryptor:
encryptors:
- key: old
default: true
privateKeyFormat: PEM
privateKeyLocation: classpath:private_key_old.pem
- key: new
privateKeyFormat: PEM
privateKeyLocation: classpath:private_key_new.pem
You'd figure out the code, but the trick here would be to also "enhance" the encrypt
and decrypt
methods:
private static class KeyedMessage {
public static parse(String value) {
// split incoming msg expecting a char separator like @ or whatever, for instance: `old@uaosdifuosidfu`
return new KeyedMessage(key, message);
}
public String toString() {
return this.key + "@" + this.message;
}
}
private StringEncryptor getDelegate(String key) {
// find own encryptors by key, or if key === null, use default one.
}
@Override
public String encrypt(String message) {
KeyedMessage msg = KeyedMessage.parse(message);
String encrypted = this.getDelegate(msg.getKey()).encrypt(msg.getMessage());
return new KeyedMessage(msg.getKey(), encrypted).toString();
}
@Override
public String decrypt(String encryptedMessage) {
KeyedMessage msg = KeyedMessage.parse(message);
return this.getDelegate(msg).decrypt(msg.getMessage());
}
then essentially you can add/remove encryptors to your list via config, and change the encrypted values in the DB at your own pace, so long as you don't remove the encryptor config before you remove the last encrypted password with that encryptor.
Thanks @ulisesbocchio , I will check the solution and repost it here.
Hi,
Is there any possibility to change the password but not touch already encrypted values? The requirement is to rotate passwords once in 2 months, and I cannot find a way how to do it without already encrypted data re-encryption. It will be really helpful to have a master password and a secondary password, so we can put them and Jasypt can automatically handle it.