ulisesbocchio / jasypt-spring-boot

Jasypt integration for Spring boot
MIT License
2.93k stars 523 forks source link

Password rotation possibility #366

Open armtumanyan opened 1 year ago

armtumanyan commented 1 year ago

Hi,

Is there any possibility to change the password but not touch already encrypted values? The requirement is to rotate passwords once in 2 months, and I cannot find a way how to do it without already encrypted data re-encryption. It will be really helpful to have a master password and a secondary password, so we can put them and Jasypt can automatically handle it.

ulisesbocchio commented 1 year ago

I’m confused, change on any secret… encryption key or encrypted secret will require you to change the values in the property files…

armtumanyan commented 1 year ago

@ulisesbocchio Let me rephrase my problem.

We are using Jasypt to keep the data encrypted in the DB (Hibernate). So we set a password let's say 123, and we have 10 records in the DB with encrypted value through Jasypt. Now, I want to change the password from 123 to 234, but the existing records in the DB were encrypted with the password 123, correct? So my question was, is there any possibility for password rotation without touching already encrypted values in the DB, or do we need to write a job or so which will do the rest? e.g. get the encrypted data form the DB using an old password, encrypt with a new password, and put back. Hope I was clear now, thanks!

ulisesbocchio commented 1 year ago

Ah, the answer is yes, but not for free :) You'd have to implement depending on the level of sophistication needed either a:

Or all of the above.... the fastest way is probably defining custom composite StringEncryptor, this string encryptor would be bootstrapped from multiple keyed string encryptors. For instance:

jasypt:
    encryptor:
      encryptors:
          - key: old
             default: true
             privateKeyFormat: PEM
             privateKeyLocation: classpath:private_key_old.pem
          - key: new 
             privateKeyFormat: PEM
             privateKeyLocation: classpath:private_key_new.pem

You'd figure out the code, but the trick here would be to also "enhance" the encrypt and decrypt methods:

    private static class KeyedMessage {
        public static parse(String value) {
             // split incoming msg expecting a char separator like @ or whatever, for instance: `old@uaosdifuosidfu`
             return new KeyedMessage(key, message); 
        }

        public String toString() {
               return this.key + "@" + this.message;
        }
    }

    private StringEncryptor getDelegate(String key) {
        // find own encryptors by key, or if key === null, use default one.
    }

    @Override
    public String encrypt(String message) {
        KeyedMessage msg = KeyedMessage.parse(message);
        String encrypted = this.getDelegate(msg.getKey()).encrypt(msg.getMessage());
        return new KeyedMessage(msg.getKey(), encrypted).toString();
    }

    @Override
    public String decrypt(String encryptedMessage) {
        KeyedMessage msg = KeyedMessage.parse(message);
        return this.getDelegate(msg).decrypt(msg.getMessage());
    }

then essentially you can add/remove encryptors to your list via config, and change the encrypted values in the DB at your own pace, so long as you don't remove the encryptor config before you remove the last encrypted password with that encryptor.

armtumanyan commented 1 year ago

Thanks @ulisesbocchio , I will check the solution and repost it here.