Secure Spring Boot Configs with HashiCorp Vault: A Step‑by‑Step Guide

1. Introduction

Spring Boot is a popular Java microservice framework; its configuration files may contain sensitive data such as database passwords and API keys. Vault is an open‑source secret management tool that provides a centralized place to store static and dynamic secrets. This article explores how to integrate Spring Boot with Vault to protect sensitive configuration.

2. Vault Service Installation and Configuration

Vault can be run via Docker. Example command:

<code>docker run -d --name vault --cap-add=IPC_LOCK \
  -e 'VAULT_LOCAL_CONFIG={"storage": {"file": {"path": "/vault/file"}}, "listener": [{"tcp": { "address": "0.0.0.0:8200", "tls_disable": true}}], "default_lease_ttl": "168h", "max_lease_ttl": "720h", "ui": true}' \
  -p 8200:8200 hashicorp/vault server</code>

The --cap-add=IPC_LOCK flag locks memory to prevent swapping, which is strongly recommended. In non‑development environments you may need to disable mlock with disable_mlock: true . The server runs without TLS, uses a file backend at /vault/file , with a default lease of one week and a maximum of 30 days. TLS and the file backend are not recommended for production.

3. Basic Vault Operations

Access the UI at http://localhost:8200/ui/ . The first login generates a token.

In the UI, click Secrets Engines to create a new KV engine, enable it, and set the path.

4. Vault Data Encryption and Decryption (Transit Engine)

Java code using Spring Vault to encrypt and decrypt values.

<code>private VaultEndpoint vaultEndpoint;
private VaultTemplate vaultTemplate;

@BeforeEach
public void init() {
    vaultEndpoint = new VaultEndpoint();
    vaultEndpoint.setHost("localhost");
    vaultEndpoint.setPort(8200);
    vaultEndpoint.setScheme("http");
    vaultTemplate = new VaultTemplate(vaultEndpoint,
        new TokenAuthentication("hvs.xxxxxxxxxxooooooooo"));
}</code>

<code>@Test
public void testEncrypt() {
    String ret = vaultTemplate.opsForTransit().encrypt("db.password", "123123");
    System.out.println(ret);
}
// Example output: vault:v1:1WxwJjUJnN78FnqsTzxo+9wnGyHln3yCdG+lf5ZC/SDmeQ==
</code>

<code>@Test
public void testDecrypt() {
    String ret = vaultTemplate.opsForTransit().decrypt("db.password",
        "vault:v1:wBLlqFGICCnONZgwm+9JRRiOF/0xoxuO+OIy4omZoS1FBg==");
    System.out.println(ret);
}
// Output: 123123
</code>

5. Programmatic KV Storage

Create a KV engine named mydata and write a secret.

<code>@Test
public void testCreate() {
    Secrets ss = new Secrets();
    ss.username = "admin";
    ss.password = "123123";
    Map<String, Object> data = new HashMap<>();
    data.put("data", ss);
    vaultTemplate.write("/mydata/data/db", data);
}
</code>

Read the secret:

<code>@Test
public void testRead() {
    System.out.println(vaultTemplate.read("/mydata/data/db").getData());
}
</code>

6. Spring Boot Integration

Add a vault.properties file:

<code>vault.uri=http://localhost:8200
vault.token=hvs.xxxxxxxxoooooooo
</code>

Create a configuration class:

<code>@Configuration
@VaultPropertySource(value = {"demo/db"})
@PropertySource("vault.properties")
@Import(EnvironmentVaultConfiguration.class)
public class AppVaultConfig {}
</code>

The annotation automatically registers a VaultTemplate bean and reads the properties defined above.

Reference the secrets in the Spring Boot datasource configuration:

<code>spring:
  datasource:
    driverClassName: com.mysql.cj.jdbc.Driver
    url: jdbc:mysql://localhost:3306/batch?serverTimezone=GMT%2B8&nullCatalogMeansCurrent=true&useSSL=false
    username: ${db.username}
    password: ${db.password}
    type: com.zaxxer.hikari.HikariDataSource
    hikari:
      minimumIdle: 10
      maximumPoolSize: 13
</code>

Start the application and verify that the database connection works without exposing credentials.

This completes the integration of Spring Boot with Vault for secure configuration management.