Secure Your Nacos Configs: How to Store Encrypted Data in Nacos 2.1.0
This guide explains how Nacos 2.1.0 introduces built‑in configuration encryption, how to add encryption plugins on the server, and how to mark configuration entries with a special prefix so that they are automatically stored and transmitted as ciphertext.
How to Configure Encrypted Storage in Nacos 2.1.0
To protect sensitive configuration data, Nacos provides a new encryption feature that reduces risk and eliminates the need for separate encryption handling.
When the Nacos server starts, it loads all supported encryption algorithms and matches configurations by the dataId prefix to determine whether encryption is required and which algorithm to use.
Configurations published by clients are encrypted on the client side via a filter, ensuring ciphertext in transit, while configurations published through the console are processed on the server side.
How to Use
① Add Encryption Plugin to Nacos Server
ASE plugin
<code><dependency>
<groupId>com.alibaba.nacos</groupId>
<artifactId>nacos-aes-encryption-plugin</artifactId>
<version>${nacos-aes-encryption-plugin.version}</version>
</dependency>
</code>SM4 national encryption plugin
<code><dependency>
<groupId>io.springboot.nacos</groupId>
<artifactId>nacos-encryption-plugin-ext</artifactId>
<version>0.0.1</version>
</dependency>
</code>Server addition
nacos add encryption plugin
② Add Configuration
Use a configuration prefix of
cipher-[encryption-algorithm]-dataIdto indicate that the entry must be encrypted; the system will automatically encrypt it. For example, using the SM4 algorithm:
<code>cipher-sm4-pig-upms-biz-dev.yml</code>Reference [1]
Reference Materials
[1] Reference: https://nacos.io/zh-cn/docs/config-encryption.html
Java Architecture Diary
Committed to sharing original, high‑quality technical articles; no fluff or promotional content.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.