Encryption as a Service using Vault with Spring Boot

Database columns can be encrypted multiple ways. Most of the databases have built-in support to encrypt the values. For example, in Postgres we can use the function pgp_sym_encrypt and pgp_sym_decrypt. It has some disadvantages like every read/write operation will have some operation overhead and slow down the DB servers. Most of the database providers give an option to encrypt the values. Moreover, keys used for the encryption should be properly managed. And it is complicated to do within the realms of the database servers. In a distributed system, the computing costs should be kept minimal and databases have a very high i/o. And cryptographic functions use a big chunk of resources and it is a well-known fact. Most of the industries have regulatory requirements and protect sensitive data in an effective way. Finally, a common concern for engineers and security teams alike is to protect the data in transit and avoid eavesdropping. Encryption as a Service (EaaS) solves this problem and Hashicorp’s Vault has a transit engine which takes out the burden of encrypting the data in transit. Vault is already a default key management and secret management solution in most of the organizations and has been integration with popular

Continue reading

Reactive Springboot with Spring Cloud Vault

In the previous post, we saw how we can create reactive Microservices using Spring-boot and Kotlin. I want to write this as a series of articles to address various cross-cutting concerns when we encounter during the implementation of Microservices architecture. In this post, we will see about securing our Microservices using Spring Cloud Security and storing the credentials of the service and MongoDB in the Hashicorp Vault and then retrieve them using Spring Cloud Vault. In addition to providing a secure means of storing the credential and tokens in the vault, it gives us the advantage of dynamically serving them for your Microservices. We will be using the Hashicorp vault for our demo and use the Azure Vault in the next series. To begin with download the vaultproject from here according to you operating system. Create a vault config like below and the additional properties of the vault can be checked here. We are using the in-memory vault so the tokens will be persisted anywhere and disable_mlock prevents the memory being swapped to the disk. It is OK to use it for development/testing. Since I am using a MacOS for development mlock is not supported by the system. backend "inmem"

Continue reading