Secure Spring Boot Configurations: Encrypt Sensitive Properties with Jasypt

Previous tutorials covered many Spring Boot configuration details such as property references, random values, command‑line arguments, and multi‑environment management. This article introduces a feature not provided natively by Spring Boot: encrypting configuration content.

Why encrypt?

Developers often overlook security in local development, but production configuration files contain sensitive data like database credentials and service keys. If leaked, these can jeopardize critical business data, so encrypting such information is essential for mature teams.

While Spring Cloud Config offers encryption, not every project uses Spring Cloud. This guide shows how to encrypt sensitive properties when using only Spring Boot.

Hands‑on steps

We will use the open‑source project https://github.com/ulisesbocchio/jasypt-spring-boot to simplify encryption.

Step 1: Create a basic Spring Boot project (refer to the quick‑start article if needed).

Step 2: Add a property and a unit test to output its value. datasource.password=didispace.com Unit test:

@Slf4j
@SpringBootTest
public class PropertiesTest {

    @Value("${datasource.password:}")
    private String password;

    @Test
    public void test() {
        log.info("datasource.password : {}", password);
    }
}

Running the test prints the plain password.

Step 3: Add the Jasypt Spring Boot starter to pom.xml:

<dependency>
    <groupId>com.github.ulisesbocchio</groupId>
    <artifactId>jasypt-spring-boot-starter</artifactId>
    <version>3.0.3</version>
</dependency>

and the Maven plugin:

<plugin>
    <groupId>com.github.ulisesbocchio</groupId>
    <artifactId>jasypt-maven-plugin</artifactId>
    <version>3.0.3</version>
</plugin>

Step 4: Define the encryption password in the configuration file: jasypt.encryptor.password=didispace Wrap values to be encrypted with DEC(): datasource.password=DEC(didispace.com) Step 5: Use the jasypt-maven-plugin to encrypt all DEC() entries:

mvn jasypt:encrypt -Djasypt.encryptor.password=didispace

Note: The -Djasypt.encryptor.password argument must match the password defined in the configuration, otherwise decryption will fail.

After execution, the property becomes:

datasource.password=ENC(/AL9nJENCYCh9Pfzdf2xLPsqOZ6HwNgQ3AnMybFAMeOM5GphZlOK6PxzozwtCm+Q)

jasypt.encryptor.password=didispace

Step 6: Run the unit test again; it still prints the original password because Jasypt automatically decrypts ENC() values at runtime.

Although the encrypted values are now stored safely, the encryption password itself is still visible in the file. In production, inject jasypt.encryptor.password via environment variables or startup parameters instead of hard‑coding it.

For higher security requirements, Jasypt also supports custom encryption algorithms, which can be explored in its repository.

This article is part of the "Spring Boot 2.x Fundamentals" series. The full source code is available in the 2.x/chapter1-5 directory of the linked GitHub and Gitee repositories.