encryption of username/password

[odoi...@payrailz.com]

is there an official answer to the need to encrypt username/passwords in the properties files?

[Grzegorz Solecki]

There is no official answer to that.

Have a look at http://www.jasypt.org It should be failry easy to integrate.

[Larry Meadors]

The approach I use is to supply those values at runtime from the AWS SSM parameter store. That way, they are not in your code base at all.

I believe that there are similar storage options in GCP and Azure.

Larry

--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mybatis-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/0dd65d52-1673-4b6f-8139-ec27c55bfeefn%40googlegroups.com.

[Grzegorz Solecki]

The solution that Larry proposed puts you in the position that you need to manage certificates for a given type of environment and assume that your system (on-premise or cloud) is open to an outgoing connection to AWS SSM (security aspect).

Imho, such solution only brings benefits when you plan a big number of servers that will use AWS System Manager.

[Larry Meadors]

Eh, "use AWS System Manager" is an overstatement - we use the parameter store alone, no other management components. Also, their parameter store manages all of the encryption and decryption for you - the implementation is pretty trivial.

If you're not running your stuff in a cloud environment, as you said, dealing with that on-prem would be a pain - but in that case, you should be able to secure your hardware in such a way that putting the credentials in a file is adequately secure. ¯\_(ツ)_/¯

Larry

To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/dd1fdcd5-9868-464e-bd68-136cc724366bn%40googlegroups.com.

[odoi...@payrailz.com]

I am fine with using SSM so do you build your properties file dynamically with it?  Right now I have hard coded properties files. how do you integrate those files to use ssm?  Not sure how that works.  Do you temporarily write the files?

[Larry Meadors]

The basic idea is that at startup, I look for a list of known names in the ssm parameter store and add them to the spring or guice container so they can be injected as needed - so it's not a mybatis problem that I was solving, it was a more general "how do i store and retrieve secrets" kind of problem.

The values never ever ever go into the source code or a file - only the names of them are in the app (generally as @Value annotations). At runtime, they are loaded from SSM and made available to the application. If the values change, a restart is required to reload then, but not a rebuild or redeployment.

I use a library I built to do it: https://github.com/lmeadors/jackson-env - it does more than just this, but there are some bits there that might be useful for you.

Larry

To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/3bda1eba-ed76-41d3-a5db-fdff1666b16an%40googlegroups.com.

[odoi...@payrailz.com]

i found 3.9 allows for th eMIGRATIONS_PASSWORD env. vars which is fine now I have issue with checkForMissingLineTerminator

 Cause: java.lang.RuntimeException: Line missing end-of-line terminator (;) => create function