Spring Boot: Encrypt Property Value in Properties File

Sharing is caring!

Overview

During my experiences working with Java, there are must be cases that I have to use properties files in order to store configurable parameter. For example, folder location for storing temporary files or wsdl location if I need to invoke SOAP services. But sometimes, I need to store sensitive information, such as database password in the configuration file. Therefore, we need to encrypt property value for sensitive information, in order to make it harder for the attacker to compromise our system.

Use Case

For the use case, I want to encrypt property value with key variable.secret-var in the property file. The encrypted value then will be decrypted during the runtime.

Step by Step

For this example, I will use spring boot as a baseline.

Spring boot can use two types of configuration files. One is application.properties and the other one is application.yml.

For this use case, I use the yml extension. However, the steps are similar

Step 1: Download Spring Boot Project

Go to spring initialzr page, fill package and artifact name. Since this project is intended for displaying the encrypted property value, leave empty for the rest then click generate project.

Step 2: Configure pom.xml

We need to add jasypt spring boot starter library into our pom, in order to use the their attributes in our properties or yaml file.

Step 3: Configure Algorithm and Encryption Key

Put jasypt attributes in application.yml

Step 4: Generate Encrypted Text

Note: you may get a different output since jasypt use salt mechanism.

Step 5: Set Encrypted Value

Then put the encrypted value into variable.secret-var key in application.yml file.

Note: the encrypted value is prefixed by ENC word followed by bracket

Step 6: Create Spring Bean

After we finish with the configuration part, it is time to create the bean. All we need is create an instance variable, private modifier is better, and put @Value annotation with variable.secret-var key. Then we print the mySecretVar variable.

Step 7: Run the Program

Now we modify a little bit in the main class, in order to print the variable.

And we will get output such as:

result
Decrypted Result

Conclusion

So, that is it. Now you can encrypt the variable value inside property file. However, maybe you are wondering, it would be non-sense if we put the encrypted variable and the jasypt configuration into one property file. For this cases, we can make separate property file between jasypt configuration and the encrypted value. The technique is using externalized configuration. But that would be out of scope for this post. I will try to bring it in the future.

Meanwhile, you can check all the code in my repository. Have a nice day!

Author: ru rocker

I have been a professional software developer since 2004. Java, Python, NodeJS, and Go-lang are my favorite programming languages. I also have an interest in DevOps. I hold professional certifications: SCJP, SCWCD, PSM 1, AWS Solution Architect Associate, and AWS Solution Architect Professional.

22 thoughts on “Spring Boot: Encrypt Property Value in Properties File”

    1. Basically it will be no different. Spring boot will always look application.properties or application.yml file during the start up. One of the main different is on how the content inside file is structured. The application.properties file is using the key value meanwhile the application.yml is using YAML file structured.

      For more detail examples, you can see on https://docs.spring.io/spring-boot/docs/current/reference/html/howto-properties-and-configuration.html#howto-use-yaml-for-external-properties

  1. Hello there, I wonder if you ever made that tutorial about externalizing the configuration to hide the jasypt configuration? Thanks 🙂

    1. In terms of externalizing jasypt config, I havent. What I have tried is putting the configuration (database configuration) outside java classpath. In other words, I put into external folder path (example the file location under /opt/config/myapps.properties). But the idea is similar, and in theory, it can be done as well.

      I will try to create a branch from my repo, in order to test whether it works or not. Hopefully sooner 😀

  2. Thanks a lot for the quick reply. Yes I would have to do that. I really wanted to create a ready for production jar file that I could move around. I can also do that but then I would have to start the app with a -Djasypt.encryptor.password=secretkey

  3. I’m using this encryption for SSL
    server:
    port: 9999
    context-path: /XYZ
    ssl:
    enabled: true
    key-alias: ssl_alias
    key-password: ENC(8NzIuKELUDi1zxOf8BOhrGViayD3hZ8j)
    jasypt:
    encryptor:
    algorithm: PBEWithMD5AndDES
    password: secretkey

    But when run the application I get the below error
    java.lang.IllegalArgumentException: java.security.UnrecoverableKeyException: Cannot recover key

    If I give normal text in the place of ENC(….) it’s working fine
    Can you help in this regard.

    1. I am sorry, I cannot help you much on this. This is a new information for me as well. Maybe you can share a little bit of your code in order to get more into your context?

  4. Hi,
    Can you help in writing the external configuration of spring . How does it makes our jasypt configuration confidential?

    Thanks,
    Vijay

  5. how safe is it to use below dependency. I am worried because its group id is of github. Is it ok to use?

    com.github.ulisesbocchio
    jasypt-spring-boot-starter
    1.14

    1. Honestly, you can see the source code there. So you can determine whether it is safe or not. But so far, I use it with no issue 🙂

  6. If I want to store the encrypted password in the properties file without using Jasypt lib so is there any way to do the same?

  7. I hardcoded the decrypted password in the application.properties file, and the jdbcTemplate got the db connection successfully.But I have to store the encrypted password in the application.properties file instead of the decrypted value.
    How do I pass the decrypted value to the JdbcTemplate before it gets the db connection?

    Thank you

Leave a Reply

Your email address will not be published. Required fields are marked *