Secure Spring Boot Configs: Encrypt Sensitive Properties with EnvironmentPostProcessor
This tutorial explains how to protect sensitive Spring Boot configuration values by encrypting them and automatically decrypting them at runtime using Spring Cloud Context's DecryptEnvironmentPostProcessor, complete with dependency setup, code examples, and JCE installation guidance.
Spring Boot configuration files store sensitive data in plain text, which is insecure. This guide shows how to encrypt such information using Spring Cloud Context's DecryptEnvironmentPostProcessor .
Environment
Spring Boot 2.4.12 with Spring Cloud Context 3.0.5.
Two approaches
Jasypt – a powerful open‑source encryption library.
Implement a custom EnvironmentPostProcessor or use the built‑in DecryptEnvironmentPostProcessor provided by spring-cloud-context .
Dependency
<code><dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-context</artifactId>
<version>3.0.5</version>
</dependency>
</code>Application configuration
<code>encrypt:
key: 123456789 # secret key
salt: abcdef # salted encryption
---
spring:
cloud:
decrypt-environment-post-processor:
enabled: true # turn on decryption
</code>Encrypt a property
Example property to encrypt:
<code>custom:
password: 123456
</code>Generate encrypted text with the following Java snippet:
<code>public static void main(String[] args) throws Exception {
String key = "123456789";
String salt = "abcdef";
String text = "123123";
KeyProperties keyProperties = new KeyProperties();
keyProperties.setKey(key);
keyProperties.setSalt(salt);
String result = TextEncryptorUtils.createTextEncryptor(keyProperties, null).encrypt(text);
System.out.println(result);
}
</code>Place the result in the configuration file, prefixed with {cipher} :
<code>custom:
password: "{cipher}2a483a44..."
</code>If you encounter “Illegal key size” errors, install the appropriate Java Cryptography Extension (JCE) policy files for your JDK version (Java 6, 7, 8).
Testing
<code>@Value("${custom.password}")
private String pwd;
@GetMapping("/pwd")
public String pwd() {
return pwd;
}
</code>When the application runs, the endpoint returns the decrypted password.
How it works
The DecryptEnvironmentPostProcessor is auto‑configured by the spring-cloud-context module. It reads all property sources, removes any existing decrypted source, and decrypts values that start with {cipher} using a TextEncryptor built from the encrypt.key and encrypt.salt properties.
<code>public class DecryptEnvironmentPostProcessor extends AbstractEnvironmentDecrypt implements EnvironmentPostProcessor, Ordered {
@Override
public void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application) {
if (!isEnabled(environment) || !ClassUtils.isPresent("org.springframework.security.crypto.encrypt.TextEncryptor", null)) {
return;
}
MutablePropertySources propertySources = environment.getPropertySources();
environment.getPropertySources().remove(DECRYPTED_PROPERTY_SOURCE_NAME);
Map<String, Object> map = TextEncryptorUtils.decrypt(this, environment, propertySources);
if (!map.isEmpty()) {
propertySources.addFirst(new SystemEnvironmentPropertySource(DECRYPTED_PROPERTY_SOURCE_NAME, map));
}
}
// isEnabled method omitted for brevity
}
</code>The decryption logic replaces any value beginning with {cipher} by invoking the TextEncryptor to obtain the original plain text.
JCE policy files installation directory
Spring Full-Stack Practical Cases
Full-stack Java development with Vue 2/3 front-end suite; hands-on examples and source code analysis for Spring, Spring Boot 2/3, and Spring Cloud.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.