Spring config server security encryption and decryption not working

Asked 1/11, 2018 at 7:4 Answered 5/5, 2021 at 10:58

java spring-boot spring-security cryptography spring-cloud-config

I am using spring config server and spring security. I have followed the link https://cloud.spring.io/spring-cloud-config/multi/multi__spring_cloud_config_server.html I have added JCF in C:\Program Files\Java\jdk1.8.0_171\jre\lib\security folder. When I post localhost:8080/encrypt { "description": "The encryption algorithm is not strong enough", "status": "INVALID" } This response comes. Please let me know the issue.

Puritanism answered 1/11, 2018 at 7:4 Comment(1)

Did you exactly follow the link? If not, put some parameters that you used. – Fulcrum 2/11, 2018 at 11:42

if you are getting {"description": "The encryption algorithm is not strong enough", "status": "INVALID" } response.The solution is just create bootstrap.properties file in config server and add encrypt.key="Secrete Key" property.

Shunt answered 5/9, 2019 at 16:46 Comment(0)

Disclaimer: I am running org.springframework.cloud:spring-cloud-config-server:2.0.6.RELEASE.

It's not just enought to enable unlimited crypto policy (btw, it is by default starting from jdk8.161), but you have to also provide (in case you want to use symmetric cryptography) encrypt.key property.

You can find it down the documentation: http://cloud.spring.io/spring-cloud-config/2.0.x/single/spring-cloud-config.html#_key_management

PS: Set it within bootstrap.properties.

Kerrikerrie answered 7/11, 2018 at 9:51 Comment(0)

With spring cloud config server 2, we get an error response for endpoint /encrypt as The encryption algorithm is not strong enough. This error occurs if you don't have encrypt.key property defined. Even if this is defined, to avoid this error, the property encrypt.key should be placed in bootstrap.properties rather than application.properties.

Disquieting answered 2/12, 2020 at 6:59 Comment(0)

bootstrap.properties are meant to be tracked under source control so i would rather reference the envcrypt.key value as an operating system environment variable.

For unix systems use export ENCRYPT_KEY=YOURKEY

Add this variable to one of start up files ~/bashrc, ~.profile or ~/.login to make it permanent

Disgrace answered 11/4, 2020 at 14:10 Comment(0)

The cloud config server's encrypt.key property is used to decrypt encrypted properties in the configuration files therefore it is clearly too late (and wrong from a security perspective) to provide said key in those configuration files.

It needs to be available to the bootstrap context so yes you can put it in bootstrap.yml if that configuration file is suitably secured or better yet it should be provided at startup time by a trusted secret storage system like Vault.

It's a shame that Spring's way of telling you that you have got this wrong is to emit this error message:

{"description":"The encryption algorithm is not strong enough","status":"INVALID"}

Drava answered 5/5, 2021 at 10:58 Comment(0)

Recommended topics

Hot tags