How to Secure Spring Cloud Config with Encryption: A Step‑by‑Step Guide

Why Encrypt Configuration in a Microservice Architecture

In DevOps‑driven microservice projects, teams often store database credentials and other secrets directly in configuration files, which is risky because the files are plain text. Spring Cloud Config offers built‑in encryption and decryption to protect these values, using the {cipher} prefix to mark encrypted properties.

Prerequisite: Unlimited Strength JCE

Spring Cloud Config requires the Unlimited Strength Java Cryptography Extension (JCE) to be installed. Download the JCE zip from Oracle, extract local_policy.jar and US_export_policy.jar, and replace the existing files in $JAVA_HOME/jre/lib/security.

Configuration Server Endpoints

/encrypt/status

– shows whether encryption is enabled. /key – displays the current key information. /encrypt – POST endpoint to encrypt a request body. /decrypt – POST endpoint to decrypt a request body.

After starting the config server, a GET request to /encrypt/status returns a JSON payload such as:

{
  "description":"No key was installed for encryption service",
  "status":"NO_KEY"
}

This indicates that no encryption key has been configured yet.

Configuring a Symmetric Key

Add the following property to the config server’s application.yml (or application.properties) to define a symmetric key: encrypt.key=didispace Restart the server and query /encrypt/status again; the response should now be:

{
  "status":"OK"
}

With the key in place, you can encrypt and decrypt values via the /encrypt and /decrypt POST endpoints. Example using curl:

$ curl http://localhost:7001/encrypt -d didispace
3c70a809bfa24ab88bcb5e1df51cb9e4dd4b8fec88301eb7a18177f1769c849ae9c9f29400c920480be2c99406ae28c7

$ curl http://localhost:7001/decrypt -d 3c70a809bfa24ab88bcb5e1df51cb9e4dd4b8fec88301eb7a18177f1769c849ae9c9f29400c920480be2c99406ae28c7
 didispace

The key can also be supplied via the environment variable ENCRYPT_KEY for better externalization.

Using Asymmetric Encryption (RSA)

For higher security, you can use an RSA key pair. Generate the keystore with keytool:

$ keytool -genkeypair -alias config -server -keyalg RSA -keystore config-server.keystore -storepass 111111 -keypass 222222 -dname "CN=zhaiyongchao, OU=company, O=organization, L=city, ST=province, C=china"

Optionally add -validity 365 to make the certificate valid for one year.

The generated config-server.keystore file should be placed where the config server can read it, e.g. under ${user.home} or in the classpath src/main/resources. Then configure the server to use the keystore:

encrypt.key-store.location=file://${user.home}/config-server.keystore
encrypt.key-store.alias=config-server
encrypt.key-store.password=111111
encrypt.key-store.secret=222222

Environment variables can also be used for these settings:

ENCRYPT_KEY_STORE_LOCATION

ENCRYPT_KEY_STORE_ALIAS

ENCRYPT_KEY_STORE_PASSWORD

ENCRYPT_KEY_STORE_SECRET

Storing the passwords in environment variables improves security by keeping them out of source files.

Summary

By installing the Unlimited Strength JCE, configuring either a symmetric encrypt.key or an RSA keystore, and using the provided /encrypt and /decrypt endpoints, Spring Cloud Config can safely store and retrieve encrypted configuration properties, protecting sensitive data from accidental exposure.