Reputation: 11
Is there a way a spring cloud config client can decrypt cipher text fetched from a config server?
Our config server is relatively insecure and only a handful of clients need the encrypted properties. Ideally, we want the server to only have the public key and each client can use the private key for decryption. The trouble is that by default, the config server will always attempt to decrypt cipher text for you. To prevent that, I disabled the default behavior like so:
@SpringBootApplication(exclude = EncryptionAutoConfiguration.class)
@EnableConfigServer
public class ConfigServerApplication {
public static void main(String[] args) {
SpringApplication.run(ConfigServerApplication.class, args);
}
}
Now when the client application fetches properties from the config server, it gets something like this:
"source": {
"username": foobar,
"password": "{cipher}CiBNmK+y3ZLsXHVgaJMAiuNyLQo3p0e..."
}
I've implemented a TextEncrypter bean and tested it to make sure it works properly on the client. On client application startup, I expect the EnvironmentDecryptApplicationInitializer class to process the client's local bootstrap and application properties as well as those fetched from the config server. However I see that only the client's local files are considered. If my cipher text is present in the local bootstrap.yml, then it gets properly decrypted. However, if the cipher text comes from the config server, it does not get decrypted. Is there a way to include the properties fetched from the config server as well?
Upvotes: 1
Views: 5119
Answers (3)
Reputation: 3188
This is actually super simple to do. According to this issue:
https://github.com/spring-cloud/spring-cloud-config/issues/365
All you have to do is configure the cloud config client like the cloud config server. What this means is, if you are using symmetric encryption all you have to do is
1.) Add the following to application.properties on the Spring Cloud Config Server so the server does not decrypt the properties before sending to the client:
spring.cloud.config.server.encrypt.enabled=false
2.) On the Spring Cloud Config Client, all you need to do is add the encryption key to the bootstrap.properties file:
encrypt.key=supersecretpassword
That's it. The properties will be decrypted when they are read by the client.
For asymetric encryption I'd assume you can do exactly the same by adding the symetric key properties to the bootstrap.properties file on the client:
encrypt.keyStore.location:classpath:/server.jks
encrypt.keyStore.password:letmein
encrypt.keyStore.alias:mytestkey
encrypt.keyStore.secret:changeme
Upvotes: 3
Reputation: 1
In case you want to give it another go, we were able to get this working.
On the config server:
spring.cloud.config.server.encrypt.enabled=false
On the client, we're using spring-cloud-config-aws-kms. That way we can authorize each service with a role that gives access to the key. If you want to do something else, the above project shows what's needed.
Upvotes: 0
Reputation: 11
We gave up on client side decryption. Instead we used the default behavior ... the config server decrypts ciphers. For security we put the config server inside a special security group (aws) and we forced the server to communicate only over https.
Upvotes: 0
Related Questions
- Spring Cloud Config not decrypting the config server password
- spring-cloud-config connects and finds config server but can't get config data
- Spring Cloud Config Client multiple property files retrieve from same repo
- How to Secure Spring Cloud Config Server
- Cloud Config Server doesn't decrypt values
- Spring Config-Client doesn't refresh if Config-Server is down during initial startup
- Disable Spring Cloud Server Config using profile?