Multiple property encryption using jasypt encryption - encryption

I have relatively less idea about encryption but i have done research on encryption in spring boot in application.properties file but i have not found any material based on multiple password encryption.If someone could provide some material or some direction as to how i would proceed will be helpful

Basically you got to do 3 things.
1. Encrypt your password using jasypt.This can be done using command line tool as indicated here or using a simple java program as indicated here. You need a password along with the string you need to encrypt. password is something like a secret key(or salt) which is used to encrypt the string you want to encrypt.
2. Add this to your application properties or yml jasypt.encryptor.password=password_used_in_the_previous_step
3. And add the encrypted password you got from step 1 like this ENC(Your_Encrypted_Password)
Add the necessary dependencies.
Here is a good example.
https://github.com/ulisesbocchio/jasypt-spring-boot.

Related

How to change encrypted password in context file without using the studio

I am using a group context to configure the db connection. The password of the db has a password type. When deploying the job, the password is automatically encrypted in the default.properties under the contexts folder.
What if i want to change the password without using the studio (on a client environment)? what can i use to encrypt the new password?
I was able to do it by creating a separate encryption job with a tjava component and the following code:
System.out.println(routines.system.PasswordEncryptUtil.encryptPassword(context.Password));
where context.Password is an input context variable of type String. When running the job, the user is prompted to enter a password and then the encrypted Talend password will be printed. It will have the following format: enc:routine.encryption.key.v1:[encryptedPassword] The routine encryption key can be modified if needed by following this link: https://help.talend.com/r/en-US/8.0/installation-guide-data-integration-windows/rotating-encryption-keys-in-talend-studio
There's actually a few ways for this:
myJob.sh --context_param myPassword=pass123
this unfortunately can be seen by anyone via ps / task manager.
You can also edit the contexts/contextName.properties file and change the context parameters there. This way the context can only be seen if you have access to the file.
Theoretically both should be able to accept the cleartext/encrypted password.
Implicit context load feature can also be used to load contexts: https://help.talend.com/r/en-US/8.0/data-integration-job-examples/creating-job-and-defining-context-variables

Using PBKDF2 to store password hashes in Jackrabbit OAK

We are migrating an application that was built on Sling 6 & Jackrabbit to Sling 10 & Oak. We are using Oak 1.6.8 which is the version used in the example sling 10 application. We had previously built our own authenticators & login plugins to use CryptedSimpleCredentials and keep passwords encrypted in the JCR. It looks like that is now the standard in Oak using CredentialsImpl. I'm trying to decide if we can drop our custom code and just configure oak properly. I've set the UserConfigurationImpl.config with the following values:
passwordHashAlgorithm="PBKDF2WithHmacSHA256"
passwordHashIterations="1000"
passwordSaltSize="20"
I took the HashAlgorithm key from a comment in org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil.generatePBKDF2(...). Following the code in PasswordUtil, the PBKDF2 prefix will generate the digest using a secret key.
Stepping through the code, I can see that during org.apache.jackrabbit.oak.security.user.UserInitializer.Initialize(...) the admin user is created (:139). The hash created for the password uses above mentioned methods and produces a hash with salt & iterations :
{PBKDF2WithHmacSHA256}b7dab4b06ad4be41-1000-8675468f4239a321b3dc8b9989a2fae0
However, when trying to login with the admin user, it is not able to authenticate the user. PasswordUtil.isSame() fails to recognize the algorithm when calling extractAlgorithm(hashedPwd) because message.digest("PBKDF2WithHmacSHA256") is invalid.
I have not been able to find any other people looking for help with this topic, which leads me to believe that maybe I have a fundamental misunderstanding that I can't see. Any and all help would be appreciated.
It looks like this was a bug fixed by OAK-7778.

Thales HSM Generate key "Form key from clear components" ("FK" command)

I have two clear components, generated by command 000A30303030413230303255 (it's a 000A0000A2002U in HEX mode. This is "GC" - Translate a ZPK from LMK to ZMK Encryption command from 1270A513 Issue 3 manual) using Java code
Now I need to generate an Encrypted key from those components. The console command for it: "FK" command (1270A513 Issue 3, page 5-14).
I couldn't find any commands for doing it by Java code. I used Host Command Reference manual (1270A351 Issue 6) and found only A4- Form a Key from Encrypted Components command, but this command for generating key from Encrypted components.
Is there way to generate encrypted key using clear components?
There is no way to do this and for good reason. If you were to send this via your java code it is open to attack as the clear components are being sent through the network unencrypted. Any person intercepting these components can generate the key themselves. The GC and FK commands are meant to be used with the console and not remotely which is why it is possible using those commands.
If you already have the components you can only form them at the HSM console. If you can possibly generate new keys use the A0 command from your java code.
I don't recommend using this in production. I would take following steps if i really need to do that.
Generate A ZMK(clear and encrypted) on HSM console using 'GC' and 'FK' command.(Need to do only once and reuse key).
use clear ZMK to encrypt all of your keys using TripleDES-ECB-NOPADDING in your application.
Use command 'A6'. Import all ZMK encrypted keys to LMK.
Use 'A4' command to form key using LMK encrypted Components.

Encrypt alfresco password

I want to encrypt db.username and db.password written in alfresco-global.properties .
Can anyone please help me in this, where that username & password is used so that i can write decryption code there, so that alfresco can understand.
I am using Alfresco 4.2 Enterprise.
Can't you just change permissions on alfresco-global.properties so only the user running the Alfresco JVM can read it ?
Anyways, that said the values are used in tomcat/webapps/alfresco/WEB-INF/classes/alfresco/core-services-context.xml. Create a custom bean baseDefaultDataSource deriving from org.apache.commons.dbcp.BasicDataSource and handle the decryption in that class. Make sure to pass the decrypted value to the jdbc driver. Also make sure the definition gets processed after the defaults kick in. You might want to drop your spring context into tomcat/shared/classes/alfresco/extension.

Crypted passwords in PHP-apis? Twitter?

I'm creating a small service using api-libraries, such as Twitter. Is it possible to input users password to Twitter-api crypted. I would not like to store peoples passwords uncrypted on my server, but writing them every time is annoying.
Does someone know?
Martti Laine
You should consider using OAuth.
Here are some examples.
If you're using PHP you can use the GnuPG extension to easily encrypt any credentials on your side, and decrypting them before making the API calls.
Here's a check list of things you need:
make sure gpg is installed on your system;
create a gpg key pair and store the files on a safe location;
optionally password protect the generated private key;
use PHP's GnuPG extension to encrypt and decrypt data using those keys.
Here's a small PHP example, taken from the gnupg_encrypt() manual:
<?php
$res = gnupg_init();
gnupg_addencryptkey($res,"8660281B6051D071D94B5B230549F9DC851566DC");
$enc = gnupg_encrypt($res, "just a test");
echo $enc;
?>
This technique should also be applied even if you're using OAuth or other password-less authentication method. A common mistake is to use OAuth and not encrypt locally saved tokens as access to those tokens might give anyone the power to act on behalf of the user.

Resources