How to protect username and pass of DataSource in Spring Boot?

Question

I have developed some Spring Boot Project and I have initiated my database connection by using spring.datasource.username and spring.datasource.password in application.properties

I have tried to use jasypt to encrypt these properties but I think this is not a good way because I still need to store jasypt.encryptor.password which is not encrypted in application.properties.

I am having difficulties finding the solutions because the results from Internet just mention jasypt.

Are there any better way to protect username and pass for Spring Boot?

Answer 1

An additional solution would be to use something like Ansible Vault to store sensitive data within your repository and then set those secrets as environment variables during deployment. Your properties files look for environment variables to set as the values. You would need to store the password to the vault file, but Ansible Vault has ways to use a local file (not tracked in source!) for storing the vault password.

A lot of this is taken from 12 Factor App ideas where you use the environment variables as the means to change the configuration.

I hope that helps!

Answer 2

Definitely you should not keep that sensitive data in properties file.

You should keep those data in vault.

Some of the vault providers :

• Hashicorp Vault: https://www.vaultproject.io/
• AWS Secrets Manager // for cloud
• Keywhiz
• Confidant etc

Then you should use spring config server token based security to get sensitive data out of sensitive storages such as vault.

Refer this for integration example of such use case with spring config server. here.