Encrypting Spring Boot Configuration Files with Jasypt
This article explains how to secure sensitive Spring Boot configuration properties such as database credentials by integrating the Jasypt library, configuring encryption keys, generating encrypted values through test code, and applying the encrypted strings in application.yml, including deployment‑time salt handling for enhanced security.
Spring Boot configuration files often expose sensitive data in plain text, so this guide introduces the Jasypt library to encrypt such properties and improve security.
First, add the Jasypt starter dependency to your project:
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>2.1.0</version>
</dependency>Configure the encryption password in application.yml (or application.properties ) like this:
# jasypt加密的密匙
jasypt:
encryptor:
password: Y6M9fAJQdU7jNp5MWGenerate encrypted values using a Spring test case:
@RunWith(SpringRunner.class)
@SpringBootTest
public class DatabaseTest {
@Autowired
private StringEncryptor encryptor;
@Test
public void getPass() {
String url = encryptor.encrypt("jdbc:mysql://localhost:3306/mydb?autoReconnect=true&serverTimezone=GMT%2B8&useUnicode=true&characterEncoding=utf-8");
String name = encryptor.encrypt("root");
String password = encryptor.encrypt("123456");
System.out.println("database url: " + url);
System.out.println("database name: " + name);
System.out.println("database password: " + password);
Assert.assertTrue(url.length() > 0);
Assert.assertTrue(name.length() > 0);
Assert.assertTrue(password.length() > 0);
}
}The console will output encrypted strings such as:
database url: 6Ut7iADnHS18cManoFJuNRQ5QEDfcho/...\n
database name: fmai72yGYKGlP6vTtX77EQ==\n
database password: GPMG7FGV+EA9iGkC27u67A==Replace the plain values in application.yml with the encrypted ones using the ENC() wrapper:
server:
port: 8080
spring:
datasource:
driver-class-name: com.mysql.cj.jdbc.Driver
url: ENC(h20YiPrvNnuuTGjlrE1RVpudMuIQAS6ZPSVo1SPiYVyLen7/...)
username: ENC(sT6BztXbJEa71eg3pPGYMQ==)
password: ENC(MpSZFJ9ftq+3+VUANZjr0Q==)
jpa:
hibernate:
ddl-auto: update
show-sql: true
jackson:
default-property-inclusion: non_null
date-format: yyyy-MM-dd HH:mm:ss
serialization:
write-dates-as-timestamps: false
time-zone: GMT+8
jasypt:
encryptor:
password: Y6M9fAJQdU7jNp5MWNote that ENC() is a fixed syntax required by Jasypt.
For production deployments, avoid hard‑coding the encryption password; instead, pass it as a JVM argument or environment variable. Example command‑line usage:
java -jar xxx.jar -Djasypt.encryptor.password=Y6M9fAJQdU7jNp5MWOr set the variable in /etc/profile :
export JASYPT_PASSWORD=Y6M9fAJQdU7jNp5MWAfter updating the profile, reload it with:
source /etc/profileFinally, start the application using the environment variable:
java -jar -Djasypt.encryptor.password=${JASYPT_PASSWORD} xxx.jarFollowing these steps secures sensitive configuration data in Spring Boot applications.
Java Architect Essentials
Committed to sharing quality articles and tutorials to help Java programmers progress from junior to mid-level to senior architect. We curate high-quality learning resources, interview questions, videos, and projects from across the internet to help you systematically improve your Java architecture skills. Follow and reply '1024' to get Java programming resources. Learn together, grow together.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.