Fork me on GitHub

n. Slang a rough lawless young Kuali developer.
[perhaps variant of Houlihan, Irish surname]
kualiganism n

Blog of an rSmart Java Developer. Full of code examples, solutions, best practices, et al.

Saturday, July 7, 2012

Configuration from VCS with on-the-fly Password Decryption

Overview

To follow up Low-carb KFS Configuration and Decryption/ReEncryption With the DemonstrationGradeEncryptionServiceImpl, I want to now give an example of how public/private key encryption can be used to encrypt passwords used in KFS for the purpose of safely storing these configurations in the VCS.

Steps

Let's get started.

1 Encrypt Your Password

First thing we need to do is get our password encrypted. I'm using my SSH key for encryption. You can do this as well.

1.1 Make Sure Your Public Key is PEM Format

Run the following to convert your ssh public key:



1.2 Encrypt Your Password

Using the datasource.password as an example, I'm going to encrypt it and append it back to the kfs-build.properties file. I am appending it back with the name datasource.encrypted. The reason for this, is I want to distinguish encrypted data from unencrypted data by convention. Any property that ends with .encrypted in the name must be encrypted. This is important because I want to add function, not replace it. Unencrypted passwords still have their purpose. Developers, for example, would find it inconvenient to have to encrypt everything for a number of reasons.



1.3 Now we are encrypted

Let's check it out.



2 PropertyLoadingFactoryBean

Now that the password is encrypted, we need to handle decryption. Since properties are loaded through the PropertyLoadingFactoryBean, we can do it there as we are reading in the properties. The best strategy is probably to do the following:
  1. Load all properties
  2. Iterate over properties searching for the ones ending with .encrypted
  3. Decrypt the property values
  4. Replace property values with the unencrypted ones and change the key names to end with .password by convention

Sounds pretty simple.



The above shows that the getObject is modified to decrypt properties at the end. here is the decryptProps method.



Notice it uses the keystore.filename and keystore.password properties. This means the keystore.password cannot be encrypted. Since it cannot be encrypted, this is probably the only password that cannot be added to the VCS. Likewise, the rice.keystore is a file you want to keep out of VCS since it contains the private and public keys.

Which brings me to the point about the private and public keys being stored in the rice.keystore. This post assumes you are familiar with Decryption/ReEncryption With the DemonstrationGradeEncryptionServiceImpl where I went over adding the SSH private/public keys to the rice keystore.

Conclusion

Now you have enough to encrypt your passwords and decrypt them as properties on-the-fly during KFS startup.


1 comment:

  1. This blog is very informative , I am really pleased to post my comment on this blog .

    ReplyDelete