org.jasypt.exceptions.EncryptionOperationNotPossibleException

Question

I am using Jasypt-1.9.0 with Spring 3.1 and Hibernate 4.0.1. I have a requirement in my application to connect to database whose password(root) is stored in the encrypted form in the property file within the application.

I looked online and found the way with following links:

1. http://www.jasypt.org/spring31.html

2. http://www.jasypt.org/hibernate.html

3. http://www.jasypt.org/encrypting-configuration.html

I have done the following steps and configuration for my requirement:

• Added jasypt-1.9.0 and jasypt-hibernate4-1.9.0 in build path.
• Added following in my dispatcher-servlet file:

< bean id="propertyConfigurer"
   class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">

  < constructor-arg ref="configurationEncryptor" />
  < property name="locations">
    < list>
      < value>classpath:database.properties< /value>
    < /list>
  < /property>
< /bean>

< bean id="configurationEncryptor"
    class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
  < property name="config" ref="environmentVariablesConfiguration" />
< /bean>

< bean id="environmentVariablesConfiguration"
    class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
  < property name="algorithm" value="PBEWithMD5AndDES" />
  < property name="passwordEnvName" value="APP_ENCRYPTION_PASSWORD" />
</bean>

• Using CLI tool of Jasypt 1.9.0, I have generated the password below(attached snapshot of CLI)

- Added a new Environment Varibale as APP_ENCRYPTION_PASSWORD with value as root

• Added the encrypted password in database.properties file

db.driverClassName=com.mysql.jdbc.Driver
db.url=jdbc:mysql://localhost:3306/db1
db.username=root
db.password=ENC(bmfeQmgP/hJrh+mj6NANKA==)

Now, if I run my application, the following exception appears:

org.jasypt.exceptions.EncryptionOperationNotPossibleException
    at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:981)
    at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:725)
    at org.jasypt.properties.PropertyValueEncryptionUtils.decrypt(PropertyValueEncryptionUtils.java:72)

Answer 1

Thanks @Fado for pointing about the parameters that need to be set for the encryption to work.

The following code works for me now:

import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
import org.jasypt.salt.RandomSaltGenerator;
import org.jasypt.iv.RandomIvGenerator;

public class MyClass {
    public static void main(String args[]) {
      StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
      encryptor.setAlgorithm("PBEWITHHMACSHA512ANDAES_256");
      encryptor.setPassword("mypassord");
      
     
        encryptor.setIvGenerator(new RandomIvGenerator());
        encryptor.setSaltGenerator( new RandomSaltGenerator());
        encryptor.setKeyObtentionIterations(1000);
        String encrypted = encryptor.encrypt("encryptThis");

      System.out.println("Encrypted text:" +encrypted);
      System.out.println("Decrypted text:"+encryptor.decrypt(encrypted));
    }
}

I've made a JDoodle online project with the example: https://jdoodle.com/ia/IL0

Answer 2

1. Remove all above XML configuration and add the following bean to your configuration class:

   @Bean public DataSource dataSource() {
   DataSourceBuilder dataSourceBuilder = 
   DataSourceBuilder.create();
   dataSourceBuilder.url(dbUrl);
   dataSourceBuilder.username(username);
   dataSourceBuilder.password(password);
   return dataSourceBuilder.build(); 
   }
   

2. Add values from properties like

   @Value("${db.driverclassname}")
   private String dbDriverClassName;
   
   @Value("${db.url}")
   private String dbUrl;
   
   @Value("${db.username}")
   private String dbUsername;
   
   @Value("${db.password}")
   private String dbPassword;
   

   And pass these values above the data source.

3. Configure your encryption key in properties file like#

   db.driverclassname=com.mysql.jdbc.Driver
   db.url=jdbc:mysql://localhost:3306/contactsdb
   db.username=contactsuser
   db.password=ENC(XcBjfjDDjxeyFBoaEPhG14wEzc6Ja+Xx
   +hNPrJyQT888=
   

4. Don't create your encrypted key using cmd and jaspyt jar I will share the link for creating encryption key with your secret key:

   Jasypt Online Encryption and Decryption

5. Add jaspyat dependency as per your version.

   If you have to run on a server and if you are facing issues like password encryption not matches or not possible, then add one more bean of jdbc template:

   @Bean
   public JdbcTemplate jdbcTemplate(DataSource 
   dataSourcee)
   {
       return new JdbcTemplate(dataSource);
   }
   

It works fine and no issues found.

Create the key using that tool. Because I have tried many times using jaspyt command line but the encryption is wrong and it is not supported. You can cross-check key generated using the above tool with the secret key.

Answer 3

If you don't specifiy all the params during encryption, Jasypt will use default values. Make sure to use those exact default values during decryption. Otherwise you may have troubles...

This work for me:

mvn jasypt:encrypt -Djasypt.encryptor.password='secret' \
    -Djasypt.encryptor.algorithm=PBEWITHHMACSHA512ANDAES_256 \
    -Djasypt.encryptor.iv-generator-classname=org.jasypt.iv.RandomIvGenerator \
    -Djasypt.encryptor.salt-generator-classname=org.jasypt.salt.RandomSaltGenerator \
    -Djasypt.encryptor.key-obtention-iterations=1000  \
    -Djasypt.plugin.path='file:application.yml' 

mvn jasypt:decrypt -Djasypt.encryptor.password='secret' \
    -Djasypt.encryptor.algorithm=PBEWITHHMACSHA512ANDAES_256 \
    -Djasypt.encryptor.iv-generator-classname=org.jasypt.iv.RandomIvGenerator \
    -Djasypt.encryptor.salt-generator-classname=org.jasypt.salt.RandomSaltGenerator \
    -Djasypt.encryptor.key-obtention-iterations=1000  \
    -Djasypt.plugin.path='file:application.yml' 

Answer 4

I had a similar issue, but I realize when using the CLI tool and trying to decrypt the password you don't have to include the algorithm property and the password property needs to match the one used in the CLI Tool.

In their http://www.jasypt.org/encrypting-configuration.html

their example looks like this, but this doesn't work.

encryptor.setPassword("jasypt"); // could be got from web, env variable... encryptor.setAlgorithm("PBEWithHMACSHA512AndAES_256"); encryptor.setIvGenerator(new RandomIvGenerator());

---

Solution:

encryptor.setPassword("MYPAS_WORD"); // Like in the CLI Tool encryptor.setAlgorithm("PBEWithHMACSHA512AndAES_256"); //Remove this encryptor.setIvGenerator(new RandomIvGenerator()); //Remove this as well

It'll work fine.

In your case you can remove the algorithm property and passwordEvnName needs to match the one used in CLI Tool.

Answer 5

I also experienced similar issue when encrypting property file values. I encrypted values in my local Windows machine and tried to deploy in Linux box but JRE versions were different, therefore encrypted values could not be decrypted. But I encrypted the values in Linux machine and decryption was successful.

Answer 6

The question is most probably out of date, but for future seekers... EncryptionOperationNotPossibleException is a general exception thrown by jasypt to mask other possible exceptions. This exception can occur when:

• your jdk does not have the JCE unlimited strenght installed (most common case)
• you had some data in the database that was encrypted before with other password
• you had some data in database that were not encrypted before and you added encryption to some field
• jasypt failed to decrypt the encrypted value from db because of some strange corruption of data
• many many others, you just need to debug to find out the real cause..