Encrypt configuration secrets

Data stored in the configuration file (config.json) can be protected by replacing the clear text value with an encrypted value. Decryption is made by the system at startup using the configured decryption key.

Encryption can be done either by using the tool provided on this page or by using another tool that are supporting AES encryption, open ssl for instance. This will describe using tool from Fortified ID.

Using the bundled tool

Download and unzip.

Encrypt by executing:

java -jar encryptor-2.0.1.jar -key the_enc_key -operation encrypt -data secret -type local/localgcm -keysize 256

Output will yield an encrypted value.

Decrypt by executing:

java -jar encryptor-2.0.1.jar -key the_enc_key -operation decrypt -data lILFU5AHjVlq0G3coczRY10f1SaAt4q/Ln+rE6i00l/rYHP+dUA= -type local/localgcm -keysize 256

Output will yield a decrypted value.

Replace the plaintext value in the config.json file with the encrypted value using the format for an encrypted value. Format of encrypted value "${secrets.replace_with_encrypted_value}", replace "replace_with_encrypted_value" with the encrypted value you got using the tool. Example of an encrypted value ${secrets.lILFU5AHjVlq0G3coczRY10f1SaAt4q/Ln+rE6i00l/rYHP+dUA=}"

The value "secret" is replaced by the encrypted value in the example.

{
  "my_protected_data":"secret"
}

{
  "my_protected_data":"${secrets.lILFU5AHjVlq0G3coczRY10f1SaAt4q/Ln+rE6i00l/rYHP+dUA=}"
}

Enabling local decryption

Add environment variables:

# Enable built in 'local' impl 
FORTIFIED_SECRETS_IMPL=local

# Enable built in 'localgcm' impl this will only work on versions 3.1.0 and later
FORTIFIED_SECRETS_IMPL=localgcm

# AES secret
FORTIFIED_SECRETS_SECRET=the_enc_key

For Windows: System Properties > Advanced tab > Environment Variables > System variables

Requirement

JAVA 17 is installed and in the path when executing the command.