Secure Spring Boot Configurations with Jasypt: A Step‑by‑Step Guide

Simple Spring Boot Example

A minimal Spring Boot application uses spring-boot-starter-web (and optionally Lombok). A ConfigProperties class injects ${conf.url} and ${conf.password} from application.properties. A ConfigController prints the injected values, demonstrating that the configuration works but also exposing the password in plain text.

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
  <groupId>org.projectlombok</groupId>
  <artifactId>lombok</artifactId>
</dependency>

@Data
@Component
public class ConfigProperties {
  @Value("${conf.url}")
  private String url;
  @Value("${conf.password}")
  private String password;
}

@RestController
@RequestMapping("/")
public class ConfigController {
  @Resource
  private ConfigProperties configProperties;
  @RequestMapping
  public void print(){
    System.out.println(configProperties.getUrl());
    System.out.println(configProperties.getPassword());
  }
}

Encrypting Configuration with Jasypt

Jasypt can encrypt values in application.properties and automatically decrypt them at runtime, adding a protective layer without replacing a full secret‑management solution.

Integration Steps

Environment Preparation

Use Jasypt version 3.0.4 with JDK 8 and Spring Boot 2.5.5. Ensure the unlimited‑strength JCE policy files ( local_policy.jar and US_export_policy.jar) are present in $JAVA_HOME/jre/lib/security. If they are missing, download them from the Oracle JCE 8 page.

Add Maven Dependency

Include the starter and the Maven plugin in pom.xml:

<dependency>
  <groupId>com.github.ulisesbocchio</groupId>
  <artifactId>jasypt-spring-boot-starter</artifactId>
  <version>3.0.4</version>
</dependency>

<plugin>
  <groupId>com.github.ulisesbocchio</groupId>
  <artifactId>jasypt-maven-plugin</artifactId>
  <version>3.0.4</version>
</plugin>

Encrypting Values

Method 1 – Unit‑test encryption

@SpringBootTest
class SpringBootJasyptApplicationTests {
  @Autowired
  private StringEncryptor stringEncryptor;

  @Test
  void contextLoads(){
    String cipher = stringEncryptor.encrypt("admin123");
    System.out.println(cipher);
  }
}

This test prints an encrypted string using the default encryptor settings.

Method 2 – Maven plugin encryption

1. Define the encryption password in application.properties: jasypt.encryptor.password=afx11 2. Mark values that need encryption with the DEC(...) prefix: conf.password=DEC(admin123) 3. Run the plugin to replace DEC with the encrypted ENC value:

mvn jasypt:encrypt -Djasypt.encryptor.password=afx11

Resulting snippet in application.properties:

jasypt.encryptor.password=afx11
conf.url=127.0.0.1
conf.password=ENC(209eBdF3+jsV2f8kDjs4NOCzgBxnVgETlR5q2KfhYo5DW2jqvLknv0TndEkXOXm0)

To view the plain text without modifying the file, use:

mvn jasypt:decrypt -Djasypt.encryptor.password=afx11

Passing the Encryption Password Securely

Do not store the encryption password in the properties file. Instead, provide it at runtime, for example:

java -jar jasypt-spring-boot-demo-0.0.1-SNAPSHOT.jar --jasypt.encryptor.password=yourPassword

Environment variables can be used similarly, preventing the secret from appearing in source control.

References

Example source code: https://github.com/secbr/springboot-all/tree/master/springboot-jasypt

Official Jasypt Spring Boot starter repository: https://github.com/ulisesbocchio/jasypt-spring-boot