Encrypting Passwords In Java Property Files

Posted on by admin
FilesGive more feedback

Java Properties

In this Java tutorial we will see about what PBE is and how we can use it in Java to encrypt and decrypt a file. In Password based encryption (PBE), a password is chosen and it is used along with a generated salt (key) to encrypt. Then the same password is used along with the salt again to decrypt the file. We have following 3 steps to achieve password encryption and decryption. Generate Random Key. Generate Encrypted Password from plain text password. Retrieve plain text password from Encrypted password Generate Random Key.

Encrypting

I think that the best approach is to ensure that your config file (containing your password) is only accessible to a specific user account. For example, you might have an application specific user appuser to which only trusted people have the password (and to which they su to). That way, there's no annoying cryptography overhead and you still have a password which is secure. EDIT: I am assuming that you are not exporting your application configuration outside of a trusted environment (which I'm not sure would make any sense, given the question). Well to solve the problems of master password - the best approach is not to store the password anywhere, the application should encrypt passwords for itself - so that only it can decrypt them. The big point, and the elephant in the room and all that, is that if your application can get hold of the password, then a hacker with access to the box can get hold of it too! The only way somewhat around this, is that the application asks for the 'master password' on the console using Standard Input, and then uses this to decrypt the passwords stored on file.

Is the problem reading/writing a properties file, or encrypting/decrypting a string? If the latter, then the standard Java API for encryption is JCE, and it comes.

Of course, this completely makes is impossible to have the application start up unattended along with the OS when it boots. However, even with this level of annoyance, if a hacker manages to get root access (or even just access as the user running your application), he could dump the memory and find the password there. The thing to ensure, is to not let the entire company have access to the production server (and thereby to the passwords), and make sure that it is impossible to crack this box! If you are using java 8 the use of the internal Base64 encoder and decoder can be avoided by replacing return new BASE64Encoder.encode(bytes); with return Base64.getEncoder.encodeToString(bytes); and return new BASE64Decoder.decodeBuffer(property); with return Base64.getDecoder.decode(property); Note that this solution doesn't protect your data as the methods for decrypting are stored in the same place. It just makes it more difficult to break.

See More On Stackoverflow

Mainly it avoids to print it and show it to everybody by mistake.