Secure Spring Boot Configs: Encrypt Sensitive Data with Spring Cloud

Introduction

Spring Boot configuration files often contain sensitive data such as database passwords, API keys, and encryption keys. If these files are exposed, the information can be compromised, leading to security risks. Encrypting these values ensures that only authorized components can decrypt and use them.

Encryption Setup

Add the required Spring Cloud dependency to your project:

<code>&lt;properties&gt;
  &lt;java.version&gt;17&lt;/java.version&gt;
  &lt;spring-cloud.version&gt;2021.0.7&lt;/spring-cloud.version&gt;
&lt;/properties&gt;
&lt;dependencies&gt;
  &lt;dependency&gt;
    &lt;groupId&gt;org.springframework.cloud&lt;/groupId&gt;
    &lt;artifactId&gt;spring-cloud-context&lt;/artifactId&gt;
    &lt;version&gt;${spring-cloud.version}&lt;/version&gt;
  &lt;/dependency&gt;
&lt;/dependencies&gt;</code>

Configure the encryption key and salt in bootstrap.yml (or bootstrap.properties ) and disable the default bootstrap if not needed:

<code>spring:
  cloud:
    bootstrap:
      enabled: false
---
encrypt:
  key: aaaabbbbccccdddd
  salt: dead</code>

Encrypt a value using the TextEncryptor :

<code>TextEncryptor textEncryptor = new EncryptorFactory("dead").create("aaaabbbbccccdddd");
System.out.println(textEncryptor.encrypt("123123!@"));</code>

Place the encrypted value in the configuration file with the {cipher} prefix:

<code>db:
  password: '{cipher}6c05a3e62aa1f71b814fd283fc15197ec18a83b67d9da27dcb63c1b3925d68c1'</code>

Inject and use the decrypted value in your code:

<code>public class SpringCloudComprehensiveApplication implements ApplicationRunner {
  @Value("${db.password}")
  private String pwd;

  public static void main(String[] args) {
    SpringApplication.run(SpringCloudComprehensiveApplication.class, args);
  }

  @Override
  public void run(ApplicationArguments args) throws Exception {
    System.out.println(pwd);
  }
}</code>

Running the application prints the original plaintext (e.g., 123123!@ ).

Command‑Line Override

To avoid storing the key and salt in the configuration file, remove encrypt.key and encrypt.salt from the file and provide them as JVM arguments when starting the jar:

<code>java -jar xxx.jar --encrypt.key=aaaabbbbccccdddd --encrypt.salt=dead</code>

The Spring environment automatically picks up these values at runtime.

Implementation Details

Spring Cloud Context defines EncryptionBootstrapConfiguration , which registers an EnvironmentDecryptApplicationInitializer bean. This initializer decrypts properties marked with the {cipher} prefix before the application context is refreshed.

<code>public class EncryptionBootstrapConfiguration {
  @Bean
  public EnvironmentDecryptApplicationInitializer environmentDecryptApplicationListener(
      ConfigurableApplicationContext context, KeyProperties keyProperties) {
    TextEncryptor encryptor = context.getBean(TextEncryptor.class);
    return new EnvironmentDecryptApplicationInitializer(encryptor);
  }
}</code>

The EnvironmentDecryptApplicationInitializer obtains the encrypted property sources and decrypts them using the provided TextEncryptor .

<code>public class EnvironmentDecryptApplicationInitializer {
  private TextEncryptor encryptor;
  public EnvironmentDecryptApplicationInitializer(TextEncryptor encryptor) {
    this.encryptor = encryptor;
  }
  public void initialize(ConfigurableApplicationContext applicationContext) {
    MutablePropertySources propertySources = environment.getPropertySources();
    Map<String, Object> map = decrypt(this.encryptor, propertySources);
  }
}</code>

If the configuration center (e.g., Nacos) is not used, Spring Cloud falls back to DecryptEnvironmentPostProcessor , which performs similar decryption logic.

<code>public class DecryptEnvironmentPostProcessor extends AbstractEnvironmentDecrypt
    implements EnvironmentPostProcessor, Ordered {
  @Override
  public void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application) {
    if (bootstrapEnabled(environment) || useLegacyProcessing(environment) || !isEnabled(environment)) {
      return;
    }
    MutablePropertySources propertySources = environment.getPropertySources();
    Map<String, Object> map = TextEncryptorUtils.decrypt(this, environment, propertySources);
  }
}</code>

The same mechanism can be extended to support asymmetric algorithms such as RSA.