Spring Boot: Encrypt Property Value in Properties File

Sharing is caring!


During my experiences working with Java, there are must be cases that I have to use properties files in order to store configurable parameter. For example, folder location for storing temporary files or wsdl location if I need to invoke SOAP services. But sometimes, I need to store sensitive information, such as database password in the configuration file. Therefore, we need to encrypt property value for sensitive information, in order to make it harder for the attacker to compromise our system.

Use Case

For the use case, I want to encrypt property value with key variable.secret-var in the property file. The encrypted value then will be decrypted during the runtime.

Step by Step

For this example, I will use spring boot as a baseline.

Spring boot can use two types of configuration files. One is application.properties and the other one is application.yml.

For this use case, I use the yml extension. However, the steps are similar

Step 1: Download Spring Boot Project

Go to spring initialzr page, fill package and artifact name. Since this project is intended for displaying the encrypted property value, leave empty for the rest then click generate project.

Step 2: Configure pom.xml

We need to add jasypt spring boot starter library into our pom, in order to use the their attributes in our properties or yaml file.

Step 3: Configure Algorithm and Encryption Key

Put jasypt attributes in application.yml

Step 4: Generate Encrypted Text

Note: you may get a different output since jasypt use salt mechanism.

Step 5: Set Encrypted Value

Then put the encrypted value into variable.secret-var key in application.yml file.

Note: the encrypted value is prefixed by ENC word followed by bracket

Step 6: Create Spring Bean

After we finish with the configuration part, it is time to create the bean. All we need is create an instance variable, private modifier is better, and put @Value annotation with variable.secret-var key. Then we print the mySecretVar variable.

Step 7: Run the Program

Now we modify a little bit in the main class, in order to print the variable.

And we will get output such as:

Decrypted Result


So, that is it. Now you can encrypt the variable value inside property file. However, maybe you are wondering, it would be non-sense if we put the encrypted variable and the jasypt configuration into one property file. For this cases, we can make separate property file between jasypt configuration and the encrypted value. The technique is using externalized configuration. But that would be out of scope for this post. I will try to bring it in the future.

Meanwhile, you can check all the code in my repository. Have a nice day!

Author: ru rocker

I am a professional software developer with more than 10 years experiences. I am a certified Java Developer (SCJP and SCWCD). However, In the recent months, I have more interest in DevOps and start to become a polyglot developer. Python and Go-lang become my favorite programming languages besides Java.

5 thoughts on “Spring Boot: Encrypt Property Value in Properties File”

    1. Basically it will be no different. Spring boot will always look application.properties or application.yml file during the start up. One of the main different is on how the content inside file is structured. The application.properties file is using the key value meanwhile the application.yml is using YAML file structured.

      For more detail examples, you can see on https://docs.spring.io/spring-boot/docs/current/reference/html/howto-properties-and-configuration.html#howto-use-yaml-for-external-properties

  1. Hello there, I wonder if you ever made that tutorial about externalizing the configuration to hide the jasypt configuration? Thanks 🙂

    1. In terms of externalizing jasypt config, I havent. What I have tried is putting the configuration (database configuration) outside java classpath. In other words, I put into external folder path (example the file location under /opt/config/myapps.properties). But the idea is similar, and in theory, it can be done as well.

      I will try to create a branch from my repo, in order to test whether it works or not. Hopefully sooner 😀

  2. Thanks a lot for the quick reply. Yes I would have to do that. I really wanted to create a ready for production jar file that I could move around. I can also do that but then I would have to start the app with a -Djasypt.encryptor.password=secretkey

Leave a Reply

Your email address will not be published. Required fields are marked *