Encrypt Password in db.properties

640 views
Skip to first unread message

shadei...@gmail.com

unread,
Apr 16, 2022, 8:49:57 AM4/16/22
to jPOS Users
Good day,

Please, I would like to use an encrypted password in db.properties file. is there a way of setting it to use the Jasypt library or is there any other provision for it?

I connect to another DB directly and use the Jasypt library for decryption and that works perfectly. 

Please, advise.

Shade

shadei...@gmail.com

unread,
Apr 19, 2022, 6:05:31 PM4/19/22
to jPOS Users
Please, I need support on how to do this. Please, help.

Shade

murtuza chhil

unread,
Apr 19, 2022, 9:31:30 PM4/19/22
to jPOS Users
Try asking it on the discord channel.
https://discord.gg/FR95xeX

-chhil

murtuza chhil

unread,
Apr 19, 2022, 11:01:21 PM4/19/22
to jPOS Users
Since jpos uses hibernate, I was looking at http://www.jasypt.org/hibernate.html
Specifically, the section on "Encrypting the database password in hibernate.cfg.xml"
It appears to be transparent and configuring the properties to use the jasypt connection provider etc should work.

What have you tried and what doesn't work?

-chhil


shadei...@gmail.com

unread,
Apr 20, 2022, 6:08:31 AM4/20/22
to jPOS Users
Hello Chhil,

I had my username and password in db.properties and not in hibernate.cfg.xml.
I have used encryption for hibernate password in the past and would see how that would work if I remove the db.properties file and make the system use the hibernate config file instead. I will try that out.

Thanks

Alejandro Revilla

unread,
Apr 20, 2022, 9:51:14 PM4/20/22
to jpos-...@googlegroups.com

In cfg/db.properties you can use something like this:

hibernate.connection.username=${db.username}
hibernate.connection.password=${db.password}

then you have several options:

Environment Variables

If you setup an environment variable called DB_USERNAME and DB_PASSWORD, the system will pick it from there. You can of course set that as part of your deployment strategy. Please note that the arbitrary names db.username gets capitalized, and dots replaced by underscore.

Thats just one way to do it, but we have better ones, keep reading:

Q2 Environment

Q2 supports environments, that you can change using the --environment or -E parameter. (see http://jpos.org/doc/proguide.pdf around page 47). The default environment is cfg/default.yml, but if you start Q2 using for instance q2 -Edevel, the system would read cfg/devel.yml instead (please note you can have many environments, i.e. q2 -Edefault,devel).

In your environment.yml file (i.e. cfg/default.yml) you can then define the username and password like this:

db:
  username: jpos
  password: mypass

But you can also pick those from an external file, i.e.:

db:
   username: jpos
   password: file::/var/secure/mypass.txt

In addition to that, jPOS has support for obfuscated environment variables. Obfuscated variables are not super secure, but can be useful for the ocassional lurker. It would read something like this:

db:
  username: jpos
  password: obf::XyFCJwAAAAZO/S+4WCMmaOkIPGr7foARmodeXcsgFJagkJ0f2Do=

Please note that obf::XyFCJwAAAAZO/S+4WCMmaOkIPGr7foARmodeXcsgFJagkJ0f2Do= expands to mypass.

You can easily create obfuscated environment variables using jPOS CLIs obf command, i.e:

bin/q2 --cli

and at the q2> prompt you type obf mypass

Please note that every time you run obf xxx it will create a different payload (theres a random component there).

The interesting thing is that you can create an EnvironmentProvider and react to different prefixes. We have create an hsm:: provider that decrypts a variable from the HSM. You can also concatenate providers, to add additional security. Creating a provider is super simple (take a look at the FileEnvironmentProvider: https://github.com/jpos/jPOS/blob/master/jpos/src/main/java/org/jpos/core/FileEnvironmentProvider.java

Hope this helps




--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/a9136158-d06f-4070-94ce-9539a9109fb8n%40googlegroups.com.

shadei...@gmail.com

unread,
Apr 21, 2022, 6:26:58 AM4/21/22
to jPOS Users
Hi Alejandro,

Thanks for your response. I will try out the obfuscated approach. That at least isn't in clear text.

Regards,

Shade

Hussain lala

unread,
Mar 28, 2024, 10:19:49 AM3/28/24
to jPOS Users
Did you try using the obfuscated approach? and did it work?

Also can you mention the exact steps that will be needed for this approach and how to use the CLI as I have not used it before

Mark Salter

unread,
Mar 28, 2024, 10:29:49 AM3/28/24
to jpos-...@googlegroups.com
Please start a new thread instead of asking for details on a two year old one.

-- 
Mark


-------- Original Message --------
signature.asc

Alejandro Revilla

unread,
Mar 28, 2024, 11:18:03 AM3/28/24
to jpos-...@googlegroups.com
Take a look at the environment providers section in the new (work in progress) tutorial: 



Reply all
Reply to author
Forward
0 new messages