X

Decryption Provider

The decryption provider decrypts secrets generated by the Spring Cloud Config Server encryption method. For more details on generating secrets, you should read the Spring Cloud documentation and the Spring Cloud Config Server documentation on encrypting and decrypting.

The two main use cases for the decryption provider are:

  • Decrypting encrypted secrets hosted by Config Server
  • Storing encrypted secrets in a git repository

To use the provider, you need to add a reference to the Steeltoe.Configuration.Encryption NuGet package. Then the decryption provider can be enabled as follows:

using Steeltoe.Configuration.Encryption;

var builder = WebApplication.CreateBuilder(args);
builder.Configuration.AddDecryption();

This will use the Spring Cloud Config encryption mechanism.

Any configuration value prefixed with {cipher} will be decrypted using the configured key:

{
  "EncryptedSecret": "{cipher}23f97efe......"
}

To decrypt secrets, the decryption provider needs to be configured to match the encryption settings.

There are two types of encryption: symmetric and asymmetric. For symmetric encryption, a shared key is used to decrypt the secrets:

{
  "Encrypt": {
    "Enabled": true,
    "Key": "12345678901234567890"
  }
}
Caution

The shared key should not be part of any source code repository, but should be passed in some other way to the application.

For asymmetric encryption, the configuration should be as follows:

{
  "Encrypt": {
    "Enabled": true,
    "KeyStore": {
      "Location": "path/to/keystore",
      "Password": "keystore_password",
      "Alias": "keyalias"
    }
  }
}
Caution

The password and the keystore file should not be part of any source code repository, but should be passed in some other way to the application.

The following table describes the configuration settings that you can apply to the decryption provider:

Key Description Default
Encrypt:Enabled Enable decryption of encrypted {cipher} values. false
Encrypt:Rsa:Strong When set to true, the "strong" GCM AES algorithm is used. Otherwise, the standard CBC algorithm is used. false
Encrypt:Rsa:Salt Salt for the random secret used to encrypt cipher text. deadbeef
Encrypt:Rsa:Algorithm The RSA algorithm to use (DEFAULT or OAEP). DEFAULT
Encrypt:KeyStore:Location Location of the keystore file. Only PKCS12 store is supported.
Encrypt:KeyStore:Password Password that locks the keystore.
Encrypt:KeyStore:Alias Alias for a key in the store.
Encrypt:Key A symmetric key. As a stronger alternative, consider using a keystore.

Custom encryption

You can use your own encryption algorithm by implementing the ITextDecryptor interface:

public class ExampleTextDecryptor : ITextDecryptor
{
    public string Decrypt(string fullCipher)
    {
        throw new NotImplementedException();
    }

    public string Decrypt(string fullCipher, string alias)
    {
        throw new NotImplementedException();
    }
}

Registration is done using the overloaded AddDecryption method:

using Microsoft.Extensions.Logging.Abstractions;
using Steeltoe.Configuration.Encryption;

var builder = WebApplication.CreateBuilder(args);
builder.Configuration.AddDecryption(new ExampleTextDecryptor(), NullLoggerFactory.Instance);
Warning

Creating encryption algorithms is notoriously difficult. Only use this if you know what you are doing.