BestHub
Sign in
Backend Development 5 min read

Encrypting Spring Boot Configuration Properties with Jasypt

This article demonstrates how to use the Jasypt library to encrypt sensitive Spring Boot configuration properties such as database credentials, showing Maven dependency setup, encryption password configuration, test code for generating encrypted values, and how to replace plaintext with ENC() placeholders in application.yml, including deployment salt handling.

Top Architect
Top Architect
Top Architect
Encrypting Spring Boot Configuration Properties with Jasypt

Spring Boot configuration files often contain plaintext credentials, which poses security risks. The article introduces Jasypt, a library that can encrypt these properties, improving the safety of configuration files.

First, add the Jasypt starter dependency to your project:

<dependency>
    <groupId>com.github.ulisesbocchio</groupId>
    <artifactId>jasypt-spring-boot-starter</artifactId>
    <version>2.1.0</version>
</dependency>

Configure the encryption password in application.yml (or application.properties ) under the jasypt.encryptor.password key:

# jasypt encryption key
jasypt:
  encryptor:
    password: Y6M9fAJQdU7jNp5MW

Use a test class to generate encrypted values for the database URL, username, and password:

@RunWith(SpringRunner.class)
@SpringBootTest
public class DatabaseTest {
    @Autowired
    private StringEncryptor encryptor;

    @Test
    public void getPass() {
        String url = encryptor.encrypt("jdbc:mysql://localhost:3306/mydb?autoReconnect=true&serverTimezone=GMT%2B8&useUnicode=true&characterEncoding=utf-8");
        String name = encryptor.encrypt("root");
        String password = encryptor.encrypt("123456");
        System.out.println("database url: " + url);
        System.out.println("database name: " + name);
        System.out.println("database password: " + password);
        Assert.assertTrue(url.length() > 0);
        Assert.assertTrue(name.length() > 0);
        Assert.assertTrue(password.length() > 0);
    }
}

The console output provides encrypted strings, for example:

database url: 6Ut7iADnHS18cManoFJuNRQ5QEDfcho/... 
 database name: fmai72yGYKGlP6vTtX77EQ== 
 database password: GPMG7FGV+EA9iGkC27u67A==

Replace the original plaintext values in application.yml with the encrypted ones using the ENC() wrapper:

spring:
  datasource:
    url: ENC(h20YiPrvNnuuTGjlrE1RVpudMuIQAS6Z...)
    username: ENC(sT6BztXbJEa71eg3pPGYMQ==)
    password: ENC(MpSZFJ9ftq+3+VUANZjr0Q==)

During deployment, avoid hard‑coding the encryption password by passing it as a JVM argument or environment variable, e.g.:

java -jar xxx.jar -Djasypt.encryptor.password=Y6M9fAJQdU7jNp5MW

Or set it in /etc/profile and source the file before starting the application:

export JASYPT_PASSWORD=Y6M9fAJQdU7jNp5MW
source /etc/profile
java -jar -Djasypt.encryptor.password=${JASYPT_PASSWORD} xxx.jar
backendJavaconfigurationSpring BootencryptionJasypt
Top Architect
Written by

Top Architect

Top Architect focuses on sharing practical architecture knowledge, covering enterprise, system, website, large‑scale distributed, and high‑availability architectures, plus architecture adjustments using internet technologies. We welcome idea‑driven, sharing‑oriented architects to exchange and learn together.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment