Original functionality maintained with the addition of support for retrieving encryption/decryption keys directly from specific environment variables.
Also added the following alias
encrypt -v <value> [-k <keyfile>]for encrypting values. Alias ofencrypt-config-value
- Ensure you have an encryption & decryption key in the specified environment variables. This could already be set up in your $PROFILE, you can check with:
C:\ws\game-agent> echo ${env:config.encryption.key}
RSA-PUB:ZIBIIjANBgkq...
C:\ws\game-agent> echo ${env:config.decryption.key}
RSA-PRIV:DvIEgvIBDA...- Generate a new encrypted value
my-application$ ./target/game-agent-shaded.jar encrypt -v topSecretPassword
enc:V92jePHsFbT0PxdJoer+oA== - Paste it into your config
auth:
username: my-user
password: ${enc:V92jePHsFbT0PxdJoer+oA==}- Start your application (with the
config.decryption.keyenvironment variable set)
my-application$ ./target/game-agent-shaded.jar start config.yml- Ensure Java 8 is set in your path (for "java -jar...") and as your JAVA_HOME (for "mvn..."). This needs to happen before launching a shell/IDE, etc. The two version commands should return something like before in order for it to work.
C:\ws\encrypted-config-value [develop]> java -version openjdk version "1.8.0_232"
OpenJDK Runtime Environment Corretto-8.232.09.1 (build 1.8.0_232-b09)
OpenJDK 64-Bit Server VM Corretto-8.232.09.1 (build 25.232-b09, mixed mode)
C:\ws\encrypted-config-value [develop]> mvn -version Apache Maven 3.6.1 (d66c9c0b3152b2e69ee9bac180bb8fcc8e6af555; 2019-04-04T12:00:29-07:00)
Maven home: C:\Program Files\JetBrains\IntelliJ IDEA 2019.2.4\plugins\maven\lib\maven3\bin\..
Java version: 1.8.0_232, vendor: Amazon.com Inc., runtime: C:\Program Files\Amazon Corretto\jdk1.8.0_232\jre
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"- Ensure the project is set up to use Gradle as the build system in your IDE & CLI. For CLI, you can test by building:
.\gradlew.bat clean build-
Make code changes
-
build
.\gradlew.bat clean build- Tag in git (package versions are driven from git tags)
git tag -a 2.2.3-wonderstorm -m "I have fixed bugs"- Push to package repo
.\gradlew.bat publishGprPublicationToWs-githubRepository
This repository provides tooling for encrypting certain configuration parameter values in Dropwizard apps. This defends against accidental leaks of sensitive information such as copy/pasting a config file - unlike jetty obsfucated passwords, one would also have to share the encryption key to actually reveal the sensitive information.
A Dropwizard bundle which provides a way of using encrypted values in your Dropwizard configs (via a variable substitutor) and utility commands.
The bundle sets the ConfigurationSourceProvider to one capable of parsing encrypted values specified as variables.
The bundle adds the following commands:
encrypt-config-value -v <value> [-k <keyfile>]for encrypting values. In the case of non-symmetric algorithms (e.g. RSA) specify the public key.generate-random-key -a <algorithm> [-f <keyfile>]for generating random keys with the specified algorithm. In the case of non-symmetric algorithms (e.g. RSA) the private key will have a .private extension.
Currently supported algorithms:
- AES: (AES/GCM/NoPadding) with random IV
- RSA
Maven artifacts are published to JCenter. Dropwizard bundles are separated into two different packages: one for Dropwizard 1.x and one for Dropwizard 0.9.x and below. Example Gradle dependency configuration:
repositories {
jcenter()
}
dependencies {
// adds EncryptedConfigValueBundle for Dropwizard 1.x apps
compile "com.palantir.config.crypto:encrypted-config-value-bundle-dropwizard1:$version"
// or, adds EncryptedConfigValueBundle for Drowizard <= 0.9.x apps
compile "com.palantir.config.crypto:encrypted-config-value-bundle:$version"
}To use in your app, just add the bundle:
public final class Main extends Application<MyApplicationConfig> {
@Override
public void initialize(Bootstrap<MyApplicationConfig> bootstrap) {
...
bootstrap.addBundle(new EncryptedConfigValueBundle());
}
...
}Then:
my-application$ ./bin/my-dropwizard-app generate-random-key -a AES
Wrote key to var/conf/encrypted-config-value.key
my-application$ ./bin/my-dropwizard-app encrypt-config-value -v topSecretPassword
enc:V92jePHsFbT0PxdJoer+oA== Now use the encrypted value in your config file (as a variable):
auth:
username: my-user
password: ${enc:INNv4cGkVF45MLWZhgVZdIsgQ4zKvbMoJ978Es3MIKgrtz5eeTuOCLM1vPbQm97ejz2EK6M=}Not Dropwizard? You can still use encrypted values in your configuration file.
public final class AppConfiguration {
private static final ObjectMapper MAPPER = new YAMLMapper()
.registerModule(new GuavaModule());
...
public static AppConfiguration fromYaml(File configFile) {
...
return EncryptedConfigMapperUtils.getConfig(configFile, AppConfiguration.class, MAPPER);
}
...
}This repository is made available under the Apache 2.0 License.