I have a spring boot application, its dynamic properties (including encrypted ones) are retrieved from config server. When config server is down, the boot client will read its properties from property files directly copied from git repo, which is shared by config server. Some properties of the property files are encrypted, We are trying to enable the config server client to decrypt these properties initially encrypted by config server. Here are the changes I made to my config server client application: 1. Added the encryption related configurations (the same values used by config server) to the boot application's property file (build time property file) encrypt.keyStore.location=xxx encrypt.keyStore.password=xxx encrypt.keyStore.alias=xxx encrypt.keyStore.secret=xxx 1. Added cloud security dependency (not sure if it's really needed) to the pom file org.springframework.boot spring-boot-starter-security

Note: spring cloud version is: Angel.SR4 3. Install Full-strength JCE and replace 2 policy files in JRE lib/security 4. Implement sample code/property for the test: a. Add a sample encrypted property (secrectword) to the client's property file: secrectword={cipher}xxxxx b. Implement boot application main class with encrypted property:

    @Configuration
        @EnableAutoConfiguration
        @RestController
        public class SampleConfigClientApplication
        {
       @Value ("${secrectword}")
       private String password;

           @RequestMapping("/")
           public String home() {
              return "Security user password value is: " + password;
           }

           public static void main(String[] args) {
                SpringApplication.run(SampleConfigClientApplication.class, args);
           }
        }

When I launched the boot application: http://localhost:8080/ the service throws the following exception

 Exception in thread "main" java.lang.IllegalStateException: Cannot decrypt: key=secrectword
   at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:139)
   at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:116)
   at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:80)
   at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:567)
   at org.springframework.boot.SpringApplication.run(SpringApplication.java:303)
   at org.springframework.boot.SpringApplication.run(SpringApplication.java:957)
   at org.springframework.boot.SpringApplication.run(SpringApplication.java:946)
   at com.equifax.dep.cloudconfig.SampleConfigClientApplication.main(SampleConfigClientApplication.java:44)
 Caused by: java.lang.UnsupportedOperationException: No decryption for FailsafeTextEncryptor. Did you configure the keystore correctly?
   at org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$FailsafeTextEncryptor.decrypt(EncryptionBootstrapConfiguration.java:168)
   at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:131)
   ... 7 more

I couldn't find the solution over the internet, what I missed or I simply did wrong ? Any advice or suggestions will be highly appreciated.

Comment From: dsyer

Did you configure the keystore correctly?

Comment From: lipinggm

Yes, I config the keystore correctly. Actually I can do the encryption and decryption using the endpoint (such as http://${host}:${port}/encrypt -d xxxx), but the issue is when I put the encrypted property value as part of application's property file (such as adding property secrectword={cipher}xxx into this application's application.properties file), it throws exception such as:

Exception in thread "main" java.lang.IllegalStateException: Cannot decrypt: key=secrectword at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:139) at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:116) at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:80) at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:567) at org.springframework.boot.SpringApplication.run(SpringApplication.java:303) at org.springframework.boot.SpringApplication.run(SpringApplication.java:957) at org.springframework.boot.SpringApplication.run(SpringApplication.java:946) at com.equifax.dep.cloudconfig.SampleConfigClientApplication.main(SampleConfigClientApplication.java:44) Caused by: java.lang.UnsupportedOperationException: No decryption for FailsafeTextEncryptor. Did you configure the keystore correctly? at org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$FailsafeTextEncryptor.decrypt(EncryptionBootstrapConfiguration.java:168) at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:131) ... 7 more

From published Config Server document, there is a statement like this:

If you don’t care about the endpoints, then it should work if you configure neither the key nor the enabled flag.

What it really means? Actually I don't care much about endpoint, what I care is that config server client application itself can automatically is able to decryp its configurations from its property files . Any suggestions?

Any advice or suggestions will be highly appreciated.

Comment From: dsyer

The client app has have the keystore configuration, right (I hope that's obvious), if it wants to decrypt local properties files? So the endpoint is irrelevant (it's on the server).

Comment From: lipinggm

Thank you @dsyer ! It finally works. Here is the lesson I learned: 1. Configure keystore correctly (same as you did for Config Server). I used window's absolute path to the keystore location for my local test, somehow the boot applicatioin doesn't find the jks file (I debug into Spring Boot code and find out the location value somehow gets altered) encrypt.keyStore.location=classpath:/xxx.jks encrypt.keyStore.password=xxx encrypt.keyStore.alias=xxx encrypt.keyStore.secret=xxx 2. Make sure to add the following dependency into your Config Server Client pom.xml file

<dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-rsa</artifactId> </dependency>

Thank you for your help!

Comment From: dsyer

Great. The RSA dependency should be included with spring-cloud-starter-config but I see it is not. I'll change that.

Comment From: mixaaaa

As little comment on a configuration problem I got the same error with:

use: "encrypt.keyStore.location=xxx" instead of: "encrypt.key-store.location=xxx"

The second not working option was suggested by IntelliJ auto property configuration. It didn't fit to following code in EncryptionBootstrapConfiguration (line 112 - v.1.2.2.RELEASE)

if (hasProperty(environment, "encrypt.keyStore.location")) {

Comment From: dsyer

@mixaaaa that's a bug (in a different project). Please open a new issue at https://github.com/spring-cloud/spring-cloud-commons.

Comment From: vskrahul

If you are migrating to Spring boot v2, then this can help you.

https://stackoverflow.com/questions/58541498/upgrade-spring-boot-1-x-to-2-x-update-encrypt-key-vm-argument-if-using-cipher/58541499#58541499