What is the correct way to configure a spring TextEncryptor for use on Heroku

Question

I have a spring TextEncryptor defined like this

<bean id="textEncryptor" class="org.springframework.security.crypto.encrypt.Encryptors"
                                                  factory-method="text">
        <constructor-arg value="${security.encryptPassword}" />
        <constructor-arg value="${security.encryptSalt}" />
</bean>

Which is fed these properties

security.encryptPassword=47582920264f212c566d5e5a6d
security.encryptSalt=39783e315e6a207e733d6f4141

Which works fine on my local environment. When I deploy to Heroku I get

java.lang.IllegalArgumentException: Unable to initialize due to invalid secret key
at org.springframework.security.crypto.encrypt.CipherUtils.initCipher(CipherUtils.java:110)
at org.springframework.security.crypto.encrypt.AesBytesEncryptor.encrypt(AesBytesEncryptor.java:65)
at org.springframework.security.crypto.encrypt.HexEncodingTextEncryptor.encrypt(HexEncodingTextEncryptor.java:36)
...
Caused by: java.security.InvalidKeyException: Illegal key size
at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:972)
at javax.crypto.Cipher.implInit(Cipher.java:738)
at javax.crypto.Cipher.chooseProvider(Cipher.java:797)
at javax.crypto.Cipher.init(Cipher.java:1276)
at javax.crypto.Cipher.init(Cipher.java:1215)
at org.springframework.security.crypto.encrypt.CipherUtils.initCipher(CipherUtils.java:105)
... 53 more

So I tried some smaller keys but I always get the same problem. What is the correct key size to use on Heroku?

Answer 1

My answer is a bit late but I wrote it to help anyone in need. By default, spring security uses a 256-bit key for encryption. This is not permitted by the JDK by default, which supported up to 128-bit keys only.

To solve this, you need need to download the local_policy.jar & US_export_policy.jar jars from oracle (Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download) and replace them in jdk_path/jre/lib/security/. Make sure you restart the application server for the changes to take effect.

On a separate note, I wouldn't place the secret key in a properties file. Instead I recommend you put it in a key store. If you need help with that let me know.

Answer 2

So I think I've concluded Heroku just plain doesn't support 256 bit AEP which is what the stock TextEncoders in spring-security use.

Instead I've used the BasicTextEncryptor from the Java Simplified Encryption library as an alternative backend and implemented the TextEncryptor interface.

It's less secure but it works. It doesn't provide a salting mechanism, though I think there are provisions for that elsewhere in the library.

If anyone has any ideas how to get the stock encryptors working on heroku then that would still be preferable I think.