Spring Cloud Config not decrypting the config server password

Question

I am working on Spring Cloud Config for a while. I have a requirement for securing the config data. As per Spring Cloud Documentation have configured the server.jks and added to classpath. Now i am able to encrypt and decrypt remote config data.

For making the config server secure i have added spring security starter and assigned credentials (password decryted). For some reason the application is throwing excpetions that it does not have key store on the classpath. After googling it for a while i found that the keystore should go to bootstrap.yml instead of application.yml. This is also not working please point me what i am missing here.

Please find the yml files in git SpringConfigData

Exception

java.lang.IllegalStateException: Cannot decrypt: key=security.user.password
    at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:195) ~[spring-cloud-context-1.1.0.BUILD-SNAPSHOT.jar:1.1.0.BUILD-SNAPSHOT]
    at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:164) ~[spring-cloud-context-1.1.0.BUILD-SNAPSHOT.jar:1.1.0.BUILD-SNAPSHOT]
    at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:94) ~[spring-cloud-context-1.1.0.BUILD-SNAPSHOT.jar:1.1.0.BUILD-SNAPSHOT]
    at org.springframework.cloud.bootstrap.BootstrapApplicationListener$DelegatingEnvironmentDecryptApplicationInitializer.initialize(BootstrapApplicationListener.java:333) ~[spring-cloud-context-1.1.0.BUILD-SNAPSHOT.jar:1.1.0.BUILD-SNAPSHOT]
    at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:640) [spring-boot-1.3.3.RELEASE.jar:1.3.3.RELEASE]
    at org.springframework.boot.SpringApplication.createAndRefreshContext(SpringApplication.java:343) [spring-boot-1.3.3.RELEASE.jar:1.3.3.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:307) [spring-boot-1.3.3.RELEASE.jar:1.3.3.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1191) [spring-boot-1.3.3.RELEASE.jar:1.3.3.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1180) [spring-boot-1.3.3.RELEASE.jar:1.3.3.RELEASE]
    at com.test.TestConfigServerApplication.main(TestConfigServerApplication.java:12) [classes/:na]
Caused by: java.lang.UnsupportedOperationException: No decryption for FailsafeTextEncryptor. Did you configure the keystore correctly?
    at org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$FailsafeTextEncryptor.decrypt(EncryptionBootstrapConfiguration.java:151) ~[spring-cloud-context-1.1.0.BUILD-SNAPSHOT.jar:1.1.0.BUILD-SNAPSHOT]
    at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:187) ~[spring-cloud-context-1.1.0.BUILD-SNAPSHOT.jar:1.1.0.BUILD-SNAPSHOT]
    ... 9 common frames omitted

Answer 1

I have had this problem. To set symmetric encryption in the latest versions of spring cloud, you just have to set the encrypt.key property in the bootstap.yml(or .properties) with the required key ( it is recommended to set the key as an OS environmental variable and reference the variable in your file. This is for more security )

However, as you discovered the properties in the bootsrap file are no more imported. You must add the following dependency into your pom file for the properties in that file to be loaded:

<dependency>
      <groupId>org.springframework.cloud</groupId>
      <artifactId>spring-cloud-starter-bootstrap</artifactId>
</dependency>

After having done this every thing will work smoothly.

Answer 2

Instead of bootstrap.yml passed using environment variables.

-Dencrypt.keyStore.location=classpath:/server.jks -Dencrypt.keyStore.password=springcloudconfigserver -Dencrypt.keyStore.alias=springcloudconfigserver -Dencrypt.keyStore.secret=springcloudconfigserver

Config Server is not able to locate the properties in bootstrap.yml for asymmetric security. symmetric works just fine

Answer 3

<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-rsa -->
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-rsa</artifactId>
        <version>1.0.8.RELEASE</version>
    </dependency>

I was facing the same problem from the config client side. To resolve this, I added this dependency in the pom.xml and in bootstarp.properties/bootstrap.yml file, I added encrypt.key property as I was using symmetric encryption.

hope it helps.

Answer 4

I experienced this error because my application was taking local bootstrap.yml instead of cloud config in the server. That's why it cannot decrypt and it fails.

Make sure local bootstrap.yml has this prop, which indicates to use config.uri to read the config from the server instead:

spring.cloud.config.enabled: true

Answer 5

简单的答案是将所有属性从 bootstrap.properties 移动到 application.yaml

Answer 6

I had into this problem when I ran projects in IntelliJ IDEA and had the following project structure:

.
├── config
│   └── application.yaml
├── api-users
│   ├── pom.xml
│   └── src
└── config-server
    ├── pom.xml
    └── src

The project also used the file config/application.yaml when it was launched, which is why this error occurred.

After renaming the config directory to configuration , this problem was resolved.