This guide contains low-level technical information. Maybe you should start first with the Easy Usage or General Usage guides?

Encrypting application configuration files

Jasypt offers support for encrypted application configuration in three different ways:

  • .properties files: Jasypt provides the org.jasypt.properties.EncryptableProperties class for loading, managing and transparently decrypting encrypted values in .properties files, allowing the mix of both encrypted and not-encrypted values in the same file.
  • Spring-integrated transparent decryption of .properties files: Jasypt can integrate into the configuration system of the Spring Framework (2.x and 3.x) and transparently decrypt .properties files used by Spring applications. Learn more: Spring 2.x, Spring 3.0, Spring 3.1, Spring 4.0.
  • Encryption of datasource parameters in Hibernate's hibernate.cfg.xml file: Jasypt provides two connection provider classes for Hibernate (DriverManager- and C3P0-based) which allow the basic datasource parameters (driver, url, username and password) to be written in an encrypted manner in the hibernate.cfg.xml file. Learn more.

This way, jasypt supports the encryption of sensitive configuration data in multiple scenarios (Hibernate-, Spring-, both- or neither-based applications).

As a general rule, jasypt expects encrypted configuration parameters to appear surrounded by "ENC(...)". You can compute this values using the CLI tools.

Here you may think: "wait... I can encrypt values in my configuration files, ok, but... I still need a password (the encryption password) to decrypt them! Where can I store it safely?". That is correct, you still need one password, but this time it is the encryption one, under jasypt control, and thus, configurable in many other more secure ways (especially recommended would be environment variables or web PBE configuration...).

EncryptableProperties

By using an org.jasypt.properties.EncryptableProperties object, an application would be able to correctly read and use a .properties file like this:

 datasource.driver=com.mysql.jdbc.Driver
 datasource.url=jdbc:mysql://localhost/reportsdb
 datasource.username=reportsUser
 datasource.password=ENC(G6N718UuyPE5bHyWKyuLQSm02auQPUtm)

Note that the database password is encrypted (in fact, any other property could also be encrypted, be it related with database configuration or not).

How do we read this value? like this:

 /*
  * First, create (or ask some other component for) the adequate encryptor for
  * decrypting the values in our .properties file.
  */
 StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
 encryptor.setPassword("jasypt"); // could be got from web, env variable...
 encryptor.setAlgorithm("PBEWithHMACSHA512AndAES_256");
 encryptor.setIvGenerator(new RandomIvGenerator());
 
 /*
  * Create our EncryptableProperties object and load it the usual way.
  */
 Properties props = new EncryptableProperties(encryptor);
 props.load(new FileInputStream("/path/to/my/configuration.properties"));

 /*
  * To get a non-encrypted value, we just get it with getProperty...
  */
 String datasourceUsername = props.getProperty("datasource.username");

 /*
  * ...and to get an encrypted value, we do exactly the same. Decryption will
  * be transparently performed behind the scenes.
  */ 
 String datasourcePassword = props.getProperty("datasource.password");

 // From now on, datasourcePassword equals "reports_passwd"...
 

For decrypting the encrypted value, we just had to access it with getProperty, just as with any other non-encrypted value.

EncryptableProperties objects can receive as a constructor argument both an org.jasypt.encryption.StringEncryptor implementation or an org.jasypt.util.TextEncryptor object.