Secure Spring Boot Configs with Jasypt: Step-by-Step Encryption Guide

1. Introduction

Jasypt (Java Simplified Encryption) is a Java library that provides simple encryption and decryption for sensitive information such as passwords, API keys, database credentials, and other configuration properties. Its purpose is to simplify protecting sensitive data in configuration files and environment variables.

Jasypt goals

Secure configuration: Jasypt enables developers to encrypt sensitive configuration properties, preventing unauthorized access to data stored in files or environment variables.

Simplified encryption: Jasypt offers a clear API that abstracts complex encryption algorithms and key management.

Spring Boot integration: Jasypt integrates seamlessly with Spring Boot, providing out‑of‑the‑box support for encrypting and decrypting configuration properties.

In a Spring Boot application, Jasypt can encrypt and decrypt sensitive properties such as database passwords, API keys, etc. Integration is provided via spring-boot-starter-parent and spring-boot-starter-security dependencies.

2. Practical Example

2.1 Add Dependency

<code>&lt;dependency&gt;
  &lt;groupId&gt;com.github.ulisesbocchio&lt;/groupId&gt;
  &lt;artifactId&gt;jasypt-spring-boot-starter&lt;/artifactId&gt;
  &lt;version&gt;3.0.5&lt;/version&gt;
&lt;/dependency&gt;
</code>

Version 3.0.5 is the latest.

2.2 Configure Jasypt Encryption Key

Define the encryption key used for encrypting and decrypting sensitive properties in application.properties or application.yml :

<code>jasypt:
  encryptor:
    password: xxxooo
    algorithm: PBEWithMD5AndDES
    iv-generator-classname: org.jasypt.iv.NoIvGenerator
</code>

Replace xxxooo with your desired secret key.

2.3 Encrypt Sensitive Property Values

Use Jasypt’s CLI to encrypt a plain‑text value:

<code>java org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI \
  input="xxxooo" \
  password="aaaabbbbcccc6666" \
  algorithm="PBEWithMD5AndDES"
</code>

Result:

<code>----OUTPUT----------------------
A+0fOw9iTjCm8RQ8F2+rMQ==
</code>

Place the ciphertext in your configuration file.

2.4 Use Encrypted Property

In application.properties or application.yml reference the encrypted value with the ENC(...) syntax:

<code>spring:
  datasource:
    password: ENC(A+0fOw9iTjCm8RQ8F2+rMQ==)
</code>

Jasypt will automatically decrypt the value at runtime.

2.5 Provide Jasypt Key at Startup

You can supply the encryption key via command line or system property:

<code>java -jar app.jar --jasypt.encryptor.password=xxxooo
</code>

<code>java -jar -Djasypt.encryptor.password=xxxooo app.jar
</code>

2.6 Decrypt Custom Property Sources

Use the @EncryptablePropertySource annotation to load encrypted properties from additional files:

<code>@Configuration
@EncryptablePropertySource({"classpath:app.properties"})
public class AppConfig {}
</code>

2.7 Retrieve Decrypted Value with @Value

Inject the property with @Value ; Spring will provide the plaintext value:

<code>@Value("${spring.datasource.password}")
private String password;
</code>

With these steps, sensitive configuration data in a Spring Boot 3.2.5 application is securely encrypted and automatically decrypted at runtime.