如何使用 Spring Boot JPA 外部化 Postgresql 列加密密钥?
[英]How to externalize the Postgresql column encryption key with Spring Boot JPA?
问题描述
One of my Postgresql entities has an encrypted column that I want decrypted when I read it with Spring Boot JPA.
我的一个 Postgresql 实体有一个加密的列,当我用 Spring Boot JPA 读取它时,我想解密它。 The encrypted entity fiels is decrypted with an hardcoded password :加密实体字段使用硬编码密码解密:
@ColumnTransformer(
read = "pgp_sym_decrypt(secretField::bytea, 'secr3t'),
write = "pgp_sym_decrypt(?, 'secr3t')
)
private String secretField;
I want to externalize the 'secr3t' password , so it is not hardcoded anymore.我想外部化 'secr3t' 密码,所以它不再是硬编码的。 But I cannot achieve this because :但我无法做到这一点,因为:
- Spring Boot annotations can only contain constant strings (no
@Value("${encrypt.key}")possible to read it from application.properties)Spring Boot 注释只能包含常量字符串(不能从 application.properties 读取@Value("${encrypt.key}")) - I found the line
current_setting('encrypt.key')to write inread = "pgp_sym_decrypt(secretField::bytea, current_setting('encrypt.key')), but it tells meorg.postgresql.util.PSQLException: ERROR: unrecognized configuration parameter "encrypt.key"even if I declareencrypt.keyinapplication.properties. I read that this parameter should be written in the server-sidepostgresql.confconfiguration file, but it feels very weird not to have the password on the client side instead.我发现current_setting('encrypt.key')行写入read = "pgp_sym_decrypt(secretField::bytea, current_setting('encrypt.key')),但它告诉我org.postgresql.util.PSQLException: ERROR: unrecognized configuration parameter "encrypt.key"即使我在application.properties声明了encrypt.key。我看这个参数应该写在服务器端postgresql.conf配置文件中,但是感觉很奇怪没有密码在客户端代替。
Is there a way to decrypt Postgresql columns with Spring Boot JPA without hardcoding the password ?有没有办法在不硬编码密码的情况下使用 Spring Boot JPA 解密 Postgresql 列? I really thought there would be a line in application.properties that I could write for this, since client-side key is possible, it is just... hardcoded by JPA constant values restriction.我真的认为application.properties中会有一行我可以为此编写,因为客户端密钥是可能的,它只是......由 JPA 常量值限制硬编码。
Nothing that I found refers to Spring Boot JPA decryption on https://www.postgresql.org/docs/8.3/pgcrypto.html or on the spring boot documentation.我在https://www.postgresql.org/docs/8.3/pgcrypto.html或 spring boot 文档上发现的任何内容都没有涉及 Spring Boot JPA 解密。 Everybody just seem to make examples with a hard-coded key.每个人似乎都只是用硬编码的密钥来做例子。
Related questions :相关问题:
1 个解决方案
解决方案1
1 2021-04-23 14:46:37
There is an available answer here .有一个可用的答案在这里。 The problem here is that it stores the data in the application.properties.这里的问题是它将数据存储在 application.properties 中。 In a production system, this solution is not the best one as it will change depending on the customer.在生产系统中,这种解决方案并不是最好的解决方案,因为它会根据客户的不同而变化。
But you can use the same structure and define your secret.key in another way you can change depending on your customer-specific key (eg fetching from a secure store).但是您可以使用相同的结构并以另一种方式定义您的secret.key,您可以根据您的客户特定密钥(例如从安全商店获取)进行更改。 Remember that, if you have more than one customer, it would be good to have separate keys for each one.请记住,如果您有多个客户,最好为每个客户设置单独的密钥。
Maybe change the setKey() method visibility to public would be interesting, once working in a multitenant environment will not allow you to define this key in the constructor.也许将 setKey() 方法的可见性更改为 public 会很有趣,一旦在多租户环境中工作将不允许您在构造函数中定义此键。 I still need to test more this approach of making it public because it can also impact the segregation of duties of the application.我仍然需要更多地测试这种公开的方法,因为它也会影响应用程序的职责分离。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.