Encrypt property values

The Onegini Security Proxy supports encrypting property values. The open source library Jasypt is used for this. Onegini uses a strong encryption algorithm, which is not present in the standard JRE security provider implementation. For this reason we use the BouncyCastle security provider implementation.

Install the Jasypt library

You can download Jasypt from their website.

Untar the library into a directory of your choice, e.g. the /opt directory.

Install a custom Java Cryptographic Provider

BouncyCastle is necessary for encrypting properties since the algorithm that is used is not included in the standard Java cryptographic provider.

Download the bouncy castle jar.

Move it to the lib folder inside the extracted Jasypt archive.

Note: Java including the Java Cryptographic Extensions is required in order to encrypt properties. Check this blog for instructions on installing the proper JCE for your java version

Encrypt property values

It is possible to encrypt properties such as passwords. The steps below describe how to do this. All properties are encryptable. Navigate to the directory where the Jasypt library is installed.

cd <JASYPT_PATH>/jasypt-1.9.1/bin/

Generate a master password either using a password generator or the following command:

openssl rand -hex 32

Next, execute the following command:

./encrypt.sh providerClassName="org.bouncycastle.jce.provider.BouncyCastleProvider" algorithm="PBEWITHSHA256AND256BITAES-CBC-BC" verbose="false" password='<MASTER_PASSWORD>' input='<TEXT_TO_ENCRYPT>'

Note: Don't forget the master password is needed when starting / stopping the Security Proxy instance(s))!

If the password or the input contain a single quote you will need to provide each separate single quote with the following sequence: '"'"'

When the above command is executed the encrypted property value is printed to the screen.

Note: You can verify the encryption by running:

./decrypt.sh providerClassName="org.bouncycastle.jce.provider.BouncyCastleProvider" algorithm="PBEWITHSHA256AND256BITAES-CBC-BC" verbose="false" password='<MASTER_PASSWORD>' input='<TEXT_TO_DECRYPT>'

The last step is to configure the encrypted value as the actual value.

The last step is to configure the encrypted value as the actual value in the docker compose file. The value has to be surrounded by ENC(<ENCRYPTED_VALUE>). Below is an example of setting an encrypted value:

FOO_BAR=ENC(6sCtMDYFi5MhTfRk9x6tzVuc/TouSqLnTsajxGdOq/4=)