I configured a Spring Cloud Config server backed by a local Git repo and created a Spring Boot application to consume the configuration from SCC. The config file scc-client.yml in Git has two plain text properties and an encrypted one, app.secret:
app:
name: client-app
port: 8085
secret: '{cipher}AgCGh ... X3pTW'
The decryption is done on client side: bootstrap.properties on SCC server has spring.cloud.config.server.encrypt.enabled=false and bootstrap.yml of my Spring Boot app contains:
...
encrypt:
keystore:
location: classpath:keystore.p12
password: kspass
alias: client-key
secret: kspass
key: client-key
rsa:
strong: true
...
The keystore.p12 contains the key used to encrypt app.secret value. I generated the key using keytool:
keytool -genkeypair -alias client-key -keyalg RSA -deststoretype pkcs12 -keystore src/main/resources/keystore.p12 -keysize 4096 -storepass kspass -keypass kspass
Does Spring use hybrid RSA encryption approach while decrypting the value on the client side in the setup above?
Judging by the code some AES related components are being invoked in o.s.s.r.c.RsaSecretEncryptor.decrypt() method, but I'm not quite certain if that represents a full hybrid encryption with a self generated AES key being used along the way.
Spring Cloud does employ a hybrid algorithm of the type described in the Wikipedia link. The server, or a command line client, encrypts data. The server, or a command line client, or a client app can decrypt them. Note that client-side decryption is generally the weakest, since you have to configure it with the same private key as the encyptor.