How to use Typesafe's Config in Scala with encrypted passwords

Question

I would like to use Typesafe's Config in my project but I don't want any passwords in clear text in any file on the file system of any integration or production server. Also, I do not want to use environment variables to store clear text passwords.

Ideally, I would like a solution similar to the Jasypt EncryptablePropertyPlaceholderConfigurer available for Spring that would allow me to designate some property values as being encrypted and have the config system automatically decrypt them before handing the value down to the application. I'd like to use the JCE keystore to store the key and pass it into my app, but I'm also open to other tools that use a database to store keys.

Has anyone managed to get the Typesafe Config project to work this way?

Update: sourcedelica was completely correct to criticize the solution that relied on passing the key as an environment variable. I changed my question to request a solution that uses a more secure way of handling keys.

Answer 1

You could try pimping the typesafe Config class like so:

object ConfigPimping{
  implicit class RichConfig(conf:Config){
    def getPasswordString(path:String, encryptKey:String):String = {
      val encrypted = conf.getString(path)
      val decrypted = ... //do decripy logic of your choice here
      decrypted
    }
  }  
}

object ConfigTest{
  import ConfigPimping._
  def main(args: Array[String]) {
    val conf = ConfigFactory.load()
    val myPass = conf.getPasswordString("myPass", "myDecryptKey")
  }
}

Then, as long as the RichConfig is always imported and available, you can get access to your custom decrpyt logic for passwords via the getPasswordString function.

Answer 2

If you are happy to pass the encryption key as an environment variable then instead you could pass all of the sensitive properties as environment variables and not worry about using encryption directly with the Typesafe config library.

For example:

my.sensitive = ${FOO_ENV}

You said that you do not want to use environment variables to store clear text passwords, but if you are storing your encryption key in an environment variable it is the equivalent.

Alternatively you could use a system property instead of an environment variable. For example, when starting your app, use -Dmy.sensitive=xxx.

If you do end up getting encrypted values into your configuration then you could use a wrapper class to that would do the decryption. I use a wrapper class to add methods like optString to Config. You could add a method like decryptString.

For a discussion on securing keys to be used in production see my question: Securing passwords in production environment.