BestHub
Sign in
Backend Development 5 min read

Encrypting Spring Boot Configuration Files with jasypt-spring-boot

This guide explains how to protect sensitive Spring Boot configuration data by integrating the open‑source jasypt‑spring‑boot plugin, covering dependency addition, secret key setup, encryption of plaintext values, and customizing encrypted property syntax for seamless decryption at runtime.

Code Ape Tech Column
Code Ape Tech Column
Code Ape Tech Column
Encrypting Spring Boot Configuration Files with jasypt-spring-boot

Introduction: Sensitive information in configuration files (e.g., datasource URL, username, password) can be exposed; encrypting them prevents leakage.

Solution: Use the open‑source plugin jasypt-spring-boot (GitHub link) to transparently encrypt/decrypt configuration values in a Spring Boot project.

1. Add Dependency

<dependency>
com.github.ulisesbocchio
jasypt-spring-boot-starter
3.0.3
</dependency>

2. Configure Secret Key

Add a secret key in application.yml (or pass it as a JVM argument):

jasypt:
  encryptor:
    password: Y6M9fAJQdU7jNp5MW

Or start the jar with java -jar xxx.jar -Djasypt.encryptor.password=Y6M9fAJQdU7jNp5MW .

3. Generate Encrypted Values

Use a Spring test to encrypt plaintext values:

@SpringBootTest
@RunWith(SpringRunner.class)
public class SpringbootJasyptApplicationTests {

    /** Inject encryption bean */
    @Autowired
    private StringEncryptor encryptor;

    /** Encrypt URL, username, password */
    @Test
    public void encrypt() {
        String url = encryptor.encrypt("jdbc:mysql://127.0.0.1:3306/test?...");
        String name = encryptor.encrypt("root");
        String password = encryptor.encrypt("123456");
        System.out.println("database url: " + url);
        System.out.println("database name: " + name);
        System.out.println("database password: " + password);
        Assert.assertTrue(url.length() > 0);
        Assert.assertTrue(name.length() > 0);
        Assert.assertTrue(password.length() > 0);
    }
}

The console prints encrypted strings for the URL, username and password.

4. Write Encrypted Values to Configuration

By default jasypt expects values wrapped with ENC() :

spring:
  datasource:
    username: ENC(L8I2RqYPptEtQNL4x8VhRVakSUdlsTGzEND/3TOnVTYPWe0ZnWsW0/5JdUsw9ulm)
    password: ENC(EJYCSbBL8Pmf2HubIH7dHhpfDZcLyJCEGMR9jAV3apJtvFtx9TVdhUPsAxjQ2pnJ)
    driver-class-name: com.mysql.jdbc.Driver
    url: ENC(szkFDG56WcAOzG2utv0m2aoAvNFH5g3DXz0o6joZjT26Y5WNA+1Z+pQFpyhFBokqOp2jsFtB+P9b3gB601rfas3dSfvS8Bgo3MyP1nojJgVp6gCVi+B/XUs0keXPn+pbX/19HrlUN1LeEweHS/LCRZslhWJCsIXTwZo1PlpXRv3Vyhf2OEzzKLm3mIAYj51CrEaN3w5cMiCESlwvKUhpAJVz/uXQJ1spLUAMuXCKKrXM/6dSRnWyTtdFRost5cChEU9uRjw5M+8HU3BLemtcK0vM8iYDjEi5zDbZtwxD3hA=)
    type: com.alibaba.druid.pool.DruidDataSource

You can customize the prefix/suffix, e.g., using PASS() :

jasypt:
  encryptor:
    property:
      prefix: 'PASS('
      suffix: ')'

Then the configuration must use PASS(...) to be decrypted.

5. Summary

jasypt‑spring‑boot also supports custom algorithms and advanced features; refer to its GitHub documentation for details.

JavaSpring Bootbackend securityJasyptConfiguration Encryption
Code Ape Tech Column
Written by

Code Ape Tech Column

Former Ant Group P8 engineer, pure technologist, sharing full‑stack Java, job interview and career advice through a column. Site: java-family.cn

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment