Secure Configuration Management with Nacos Encryption Plugin and Jasypt in Spring Boot

When using Nacos as a configuration center, many teams store all configuration, including passwords and keys, directly in Nacos, which raises security concerns if Nacos is compromised.

Two common approaches are:

Ignore the risk and rely on Nacos's own password protection.

Store sensitive data in local environment variables, which is convenient but less unified.

The article then explores a better solution using Nacos 2.0's plugin mechanism, which provides encryption based on SPI. To use it, you must be on Nacos 2.x and add the following Maven dependency:

<dependency>
  <groupId>com.alibaba.nacos</groupId>
  <artifactId>nacos-aes-encryption-plugin</artifactId>
  <version>${nacos-aes-encryption-plugin.version}</version>
</dependency>

Create configuration keys following the pattern cipher-[algorithm]-dataId , e.g., cipher-aes-application-dev.yml . Any value stored under such a key will be automatically encrypted.

However, this approach encrypts the entire file, which may be overkill for encrypting only a few fields, and requires upgrading to Nacos 2.x.

As an alternative, the article recommends using Jasypt , a dedicated encryption library that works seamlessly with Spring Boot.

First, add the Jasypt starter dependency:

<dependency>
  <groupId>com.github.ulisesbocchio</groupId>
  <artifactId>jasypt-spring-boot-starter</artifactId>
  <version>3.0.5</version>
</dependency>

Then configure encryption in application.yml :

jasypt:
  encryptor:
    password: hello
    algorithm: PBEWithMD5AndDES

Note that the default algorithm PBEWITHHMACSHA512ANDAES_256 requires JDK 9+, so for JDK 8 you should use PBEWithMD5AndDES .

Generate encrypted values using the StringEncryptor bean:

@Autowired
private StringEncryptor encryptor;

@GetMapping("/encrypt")
public String encrypt(String content) {
  return "ENC(" + encryptor.encrypt(content) + ")";
}

Store the encrypted string in Nacos or a local file, for example:

aestest:
  appKey: ENC(GT2vTn1+SdeFu90xH/vgw3uYTNyV5PGp)

Retrieve the value with the usual @Value("${aestest.appKey}") annotation; Jasypt automatically decrypts values wrapped with the ENC() prefix.

The decryption works via a BeanFactoryPostProcessor that scans for @Value annotations, detects the Jasypt prefix, and replaces the placeholder with the decrypted content.

Overall, the article advises abandoning Nacos's built‑in encryption plugin in favor of Jasypt for more flexible, field‑level secret management in Spring Boot applications.