How to Encrypt MySQL Passwords in Spring Boot Using Alibaba Druid

In modern development practices, source code is often pushed to public Git servers, which creates a risk of source leakage; if configuration files containing database credentials are exposed, the data can be compromised. Therefore, encrypting database passwords is essential to protect sensitive information.

Alibaba's open‑source Druid library, a high‑performance Java connection pool, offers built‑in password encryption capabilities. By adding the Druid starter to a Spring Boot project, developers can generate encrypted passwords and configure them without writing custom encryption code.

Key Druid features include SQL performance monitoring, replacement of other connection pools, password encryption via PasswordCallback , various logging filters, and extensible JDBC filter chains.

The tutorial focuses on Druid's third feature—database password encryption—by demonstrating the complete workflow.

1. Add Druid Dependency

<dependency>
    <groupId>com.alibaba</groupId>
    <artifactId>druid-spring-boot-starter</artifactId>
    <version>1.2.5</version>
</dependency>

For Gradle:

compile 'com.alibaba:druid-spring-boot-starter:1.2.5'

2. Generate Ciphertext

After adding Druid, use the ConfigTools class to create a private key, public key, and encrypted password:

import com.alibaba.druid.filter.config.ConfigTools;

class MyTests {
    public static void main(String[] args) throws Exception {
        // plaintext password to encrypt
        String password = "youPassword"; // replace with your own password
        // generate keys and ciphertext
        ConfigTools.main(new String[]{password});
    }
}

The execution prints three values (privateKey, publicKey, password). Only the public key and the encrypted password are needed for runtime decryption.

3. Add Configuration

Insert the generated public key and ciphertext into application.yml (or XML). Example configuration:

spring:
  datasource:
    driver-class-name: com.mysql.cj.jdbc.Driver
    type: com.alibaba.druid.pool.DruidDataSource
    druid:
      url: jdbc:mysql://127.0.0.1:3306/testdb?serverTimezone=Asia/Shanghai&characterEncoding=UTF-8&useSSL=false
      username: root
      password: IMgKm27bOHok3/+5aDL4jGBoVVZkpicbbM6pIXQppi3dI7h3jngSAqhqwqYnfuYpyVJ0k++q9xWWnHtd6sAWnQ==
      filters: config
      connect-properties:
        config.decrypt: true
        config.decrypt.key: ${spring.datasource.druid.publickey}

Note that the public key is referenced via a placeholder (e.g., ${spring.datasource.druid.publickey} ) so that the actual key can be supplied at runtime, avoiding storing it directly in the configuration file.

4. Runtime Key Management

In development, pass the public key as a JVM argument or IDE run configuration; in production, supply it when launching the JAR:

java -jar xxx.jar --spring.datasource.druid.publickey=YOUR_PUBLIC_KEY

If the public key is missing or incorrect, Druid will fail to decrypt the password and the application will not start.

5. How Decryption Works

During Spring Boot startup, Druid’s interceptor reads the encrypted password and the provided public key, then internally calls ConfigTools.decrypt(publicKey, password) to obtain the original plaintext password, which is then used to establish the database connection without any additional code.

// ciphertext
String password = "VwH1mu2IUpqjfKTd+gSikiZgJTi+3Y5zFIFRfxYnH1UqHzm1K8TIHnMaV3TErBaGsVEaGV0e63pb0Ys3Wdm7Kg==";
// public key
String publicKey = "MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALWIEp19IM04sB+vQXnEOH9gFNFdL5TFGSEhORgHj4MnfTfBSNaOoSgCaM8BOpjiHmwuEb7LpvmXI1x/ymUvNzECAwEAAQ==";
String result = ConfigTools.decrypt(publicKey, password);
System.out.println("Final result: " + result);

By following these steps, developers can securely store MySQL passwords in encrypted form, reduce the risk of credential leakage, and keep the decryption process transparent to the application.

Conclusion : Using Alibaba Druid’s built‑in encryption tools simplifies MySQL password protection in Spring Boot applications; only a few configuration changes and a one‑time key generation are required, while runtime decryption is handled automatically by Druid.