Awesome Open Source
Awesome Open Source


Jasypt integration for Spring boot 1.4.X , 1.5.X and 2.0.X

Build Status Gitter Maven Central

Code Climate Codacy Badge GitHub release Github All Releases MIT License volkswagen status


Jasypt Spring Boot provides Encryption support for property sources in Spring Boot Applications.
There are 3 ways to integrate jasypt-spring-boot in your project:

  • Simply adding the starter jar jasypt-spring-boot-starter to your classpath if using @SpringBootApplication or @EnableAutoConfiguration will enable encryptable properties across the entire Spring Environment
  • Adding jasypt-spring-boot to your classpath and adding @EnableEncryptableProperties to your main Configuration class to enable encryptable properties across the entire Spring Environment
  • Adding jasypt-spring-boot to your classpath and declaring individual encryptable property sources with @EncrytablePropertySource

What's new?

Update 08/28/2021: Version 3.0.4 Release Includes

  • Spring Boot 2.5.4
  • Spring cloud 2020.0.3
  • Removed double property source config from spring ConfigurationPropertySource and added wrapper that lead to stack overflows and circular dependencies
  • StubPropertySource bug fixed
  • Deadlock on properties cache fixed
  • Added Origin support to config properties source wrappers
  • RefreshedScope listener Class.forName() caching for improved performance
  • AES/GCM Support (Guide)
  • ability to skip property sources by class (Guide)

Update 05/31/2020: Version 3.0.3 Release Includes

  • Minor bug fixes
  • Documentation fixes
  • Refresh event fix for spring cloud config

Update 01/11/2020: Version 3.0.2 Release Includes

Update 12/31/2019: Version 3.0.1 Release Includes

  • Adds support for skipping classes from being introspected
  • Usage of replacePlaceHolders instead of replaceRequiredPlaceholders on property resolver to mirror Spring's default behavior
  • Refactored StandardEncryptableEnvironment to use builder pattern and lazy load resolver/filter/detector/encryptor
  • Removed deprecated EncryptableENvironment

Update 11/24/2019: Version 3.0.0 Release Includes

  • Adds support for Spring Boot 2.1.X
  • Spring Boot 1.5.X No longer supported
  • Changed default encryption to PBEWITHHMACSHA512ANDAES_256 (Thanks @rupert-madden-abbott)
  • Switched properties cache to HashMap to avoid concurrency issues (Thanks @krm1312)
  • Higher priority for Properties post processor (Thanks @ttulka)
  • Jasypt Spring Boot Maven Plugin (Thanks @rupert-madden-abbott)
  • To keep your encrypted properties with previous default config use:
    algorithm: PBEWithMD5AndDES
    iv-generator-classname: org.jasypt.iv.NoIvGenerator

Update 9/8/2019: Version 2.1.2 Release Includes

  • jasypt 1.9.3 rollback with IV Generators (thanks @tkalmar)
  • interpolation inside ENC() and ${} blocks (thanks @ttulka)
  • fixes for relaxed bindings, fail on custom bean not found, filters, and double app listener

Update 1/8/2019: Version 2.1.1 Release Including

Update 7/17/2018: Version 2.1.0 Release Including

Update 3/17/2018: Version 2.0.0 has been released supporting

  • Spring Boot 2.0.X.RELEASE. SemVer adopted.

Update 7/18/2015: jasypt-spring-boot is now in Maven Central!

What to do First?

Use one of the following 3 methods (briefly explained above):

  1. Simply add the starter jar dependency to your project if your Spring Boot application uses @SpringBootApplication or @EnableAutoConfiguration and encryptable properties will be enabled across the entire Spring Environment (This means any system property, environment property, command line argument,, application-*.properties, yaml properties, and any other property sources can contain encrypted properties):

  2. IF you don't use @SpringBootApplication or @EnableAutoConfiguration Auto Configuration annotations then add this dependency to your project:


    And then add @EnableEncryptableProperties to you Configuration class. For instance:

    public class MyApplication {

And encryptable properties will be enabled across the entire Spring Environment (This means any system property, environment property, command line argument,, yaml properties, and any other custom property sources can contain encrypted properties)

  1. IF you don't use @SpringBootApplication or @EnableAutoConfiguration Auto Configuration annotations and you don't want to enable encryptable properties across the entire Spring Environment, there's a third option. First add the following dependency to your project:


    And then add as many @EncryptablePropertySource annotations as you want in your Configuration files. Just like you do with Spring's @PropertySource annotation. For instance:

    @EncryptablePropertySource(name = "EncryptedProperties", value = "")
    public class MyApplication {

Conveniently, there's also a @EncryptablePropertySources annotation that one could use to group annotations of type @EncryptablePropertySource like this:

	public class MyApplication {

Also, note that as of version 1.8, @EncryptablePropertySource supports YAML files

Custom Environment

As of version 1.7 1.15, a 4th method of enabling encryptable properties exists for some special cases. A custom ConfigurableEnvironment class is provided: EncryptableEnvironment StandardEncryptableEnvironment and StandardEncryptableServletEnvironment that can be used with SpringApplicationBuilder to define the custom environment this way:

new SpringApplicationBuilder()
    .environment(new StandardEncryptableEnvironment())

This method would only require using a dependency for jasypt-spring-boot. No starter jar dependency is required. This method is useful for early access of encrypted properties on bootstrap. While not required in most scenarios could be useful when customizing Spring Boot's init behavior or integrating with certain capabilities that are configured very early, such as Logging configuration. For a concrete example, this method of enabling encryptable properties is the only one that works with Spring Properties replacement in logback-spring.xml files, using the springProperty tag. For instance:

<springProperty name="user" source="db.user"/>
<springProperty name="password" source="db.password"/>
<appender name="db" class="ch.qos.logback.classic.db.DBAppender">

This mechanism could be used for instance (as shown) to initialize Database Logging Appender that require sensitive credentials to be passed. Alternatively, if a custom StringEncryptor is needed to be provided, a static builder method is provided StandardEncryptableEnvironment#builder for customization (other customizations are possible):

    .encryptor(new MyEncryptor())

How everything Works?

This will trigger some configuration to be loaded that basically does 2 things:

  1. It registers a Spring post processor that decorates all PropertySource objects contained in the Spring Environment so they are "encryption aware" and detect when properties are encrypted following jasypt's property convention.
  2. It defines a default StringEncryptor that can be configured through regular properties, system properties, or command line arguments.

Where do I put my encrypted properties?

When using METHODS 1 and 2 you can define encrypted properties in any of the PropertySource contained in the Environment. For instance, using the @PropertySource annotation:

    @PropertySource(name="EncryptedProperties", value = "")
    public class MyApplication {

And your file would look something like this:

Now when you do environment.getProperty("") or use @Value("${}") what you get is the decrypted version of
When using METHOD 3 (@EncryptablePropertySource) then you can access the encrypted properties the same way, the only difference is that you must put the properties in the resource that was declared within the @EncryptablePropertySource annotation so that the properties can be decrypted properly.

Password-based Encryption Configuration

Jasypt uses an StringEncryptor to decrypt properties. For all 3 methods, if no custom StringEncryptor (see the Custom Encryptor section for details) is found in the Spring Context, one is created automatically that can be configured through the following properties (System, properties file, command line arguments, environment variable, etc.):

Key Required Default Value
jasypt.encryptor.password True -
jasypt.encryptor.algorithm False PBEWITHHMACSHA512ANDAES_256
jasypt.encryptor.key-obtention-iterations False 1000
jasypt.encryptor.pool-size False 1
jasypt.encryptor.provider-name False SunJCE
jasypt.encryptor.provider-class-name False null
jasypt.encryptor.salt-generator-classname False org.jasypt.salt.RandomSaltGenerator
jasypt.encryptor.iv-generator-classname False org.jasypt.iv.RandomIvGenerator
jasypt.encryptor.string-output-type False base64
jasypt.encryptor.proxy-property-sources False false
jasypt.encryptor.skip-property-sources False empty list

The only property required is the encryption password, the rest could be left to use default values. While all this properties could be declared in a properties file, the encryptor password should not be stored in a property file, it should rather be passed as system property, command line argument, or environment variable and as far as its name is jasypt.encryptor.password it'll work.

The last property, jasypt.encryptor.proxyPropertySources is used to indicate jasyp-spring-boot how property values are going to be intercepted for decryption. The default value, false uses custom wrapper implementations of PropertySource, EnumerablePropertySource, and MapPropertySource. When true is specified for this property, the interception mechanism will use CGLib proxies on each specific PropertySource implementation. This may be useful on some scenarios where the type of the original PropertySource must be preserved.

Use you own Custom Encryptor

For custom configuration of the encryptor and the source of the encryptor password you can always define your own StringEncryptor bean in your Spring Context, and the default encryptor will be ignored. For instance:

    public StringEncryptor stringEncryptor() {
        PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
        SimpleStringPBEConfig config = new SimpleStringPBEConfig();
        return encryptor;

Notice that the bean name is required, as jasypt-spring-boot detects custom String Encyptors by name as of version 1.5. The default bean name is:


But one can also override this by defining property:


So for instance, if you define jasypt.encryptor.bean=encryptorBean then you would define your custom encryptor with that name:

    public StringEncryptor stringEncryptor() {

Custom Property Detector, Prefix, Suffix and/or Resolver

As of jasypt-spring-boot-1.10 there are new extensions points. EncryptablePropertySource now uses EncryptablePropertyResolver to resolve all properties:

public interface EncryptablePropertyResolver {
    String resolvePropertyValue(String value);

Implementations of this interface are responsible of both detecting and decrypting properties. The default implementation, DefaultPropertyResolver uses the before mentioned StringEncryptor and a new EncryptablePropertyDetector.

Provide a Custom EncryptablePropertyDetector

You can override the default implementation by providing a Bean of type EncryptablePropertyDetector with name encryptablePropertyDetector or if you wanna provide your own bean name, override property and specify the name you wanna give the bean. When providing this, you'll be responsible for detecting encrypted properties. Example:

private static class MyEncryptablePropertyDetector implements EncryptablePropertyDetector {
    public boolean isEncrypted(String value) {
        if (value != null) {
            return value.startsWith("[email protected]");
        return false;

    public String unwrapEncryptedValue(String value) {
        return value.substring("[email protected]".length());
@Bean(name = "encryptablePropertyDetector")
    public EncryptablePropertyDetector encryptablePropertyDetector() {
        return new MyEncryptablePropertyDetector();

Provide a Custom Encrypted Property prefix and suffix

If all you want to do is to have different prefix/suffix for encrypted properties, you can keep using all the default implementations and just override the following properties in (or application.yml):

      prefix: "[email protected]["
      suffix: "]"

Provide a Custom EncryptablePropertyResolver

You can override the default implementation by providing a Bean of type EncryptablePropertyResolver with name encryptablePropertyResolver or if you wanna provide your own bean name, override property and specify the name you wanna give the bean. When providing this, you'll be responsible for detecting and decrypting encrypted properties. Example:

    class MyEncryptablePropertyResolver implements EncryptablePropertyResolver {
        private final PooledPBEStringEncryptor encryptor;
        public MyEncryptablePropertyResolver(char[] password) {
            this.encryptor = new PooledPBEStringEncryptor();
            SimpleStringPBEConfig config = new SimpleStringPBEConfig();
        public String resolvePropertyValue(String value) {
            if (value != null && value.startsWith("{cipher}")) {
                return encryptor.decrypt(value.substring("{cipher}".length()));
            return value;
    EncryptablePropertyResolver encryptablePropertyResolver(@Value("${jasypt.encryptor.password}") String password) {
        return new MyEncryptablePropertyResolver(password.toCharArray());

Notice that by overriding EncryptablePropertyResolver, any other configuration or overrides you may have for prefixes, suffixes, EncryptablePropertyDetector and StringEncryptor will stop working since the Default resolver is what uses them. You'd have to wire all that stuff yourself. Fortunately, you don't have to override this bean in most cases, the previous options should suffice.

But as you can see in the implementation, the detection and decryption of the encrypted properties are internal to MyEncryptablePropertyResolver

Using Filters

jasypt-spring-boot:2.1.0 introduces a new feature to specify property filters. The filter is part of the EncryptablePropertyResolver API and allows you to determine which properties or property sources to contemplate for decryption. This is, before even examining the actual property value to search for, or try to, decrypt it. For instance, by default, all properties which name start with jasypt.encryptor are excluded from examination. This is to avoid circular dependencies at load time when the library beans are configured.

DefaultPropertyFilter properties

By default, the DefaultPropertyResolver uses DefaultPropertyFilter, which allows you to specify the following string pattern lists:

  • Specify the property sources name patterns to be included for decryption
  • Specify the property sources name patterns to be EXCLUDED for decryption
  • Specify the property name patterns to be included for decryption
  • Specify the property name patterns to be EXCLUDED for decryption

Provide a custom EncryptablePropertyFilter

You can override the default implementation by providing a Bean of type EncryptablePropertyFilter with name encryptablePropertyFilter or if you wanna provide your own bean name, override property and specify the name you wanna give the bean. When providing this, you'll be responsible for detecting properties and/or property sources you want to contemplate for decryption. Example:

    class MyEncryptablePropertyFilter implements EncryptablePropertyFilter {
        public boolean shouldInclude(PropertySource<?> source, String name) {
            return name.startsWith('encrypted.');
    EncryptablePropertyFilter encryptablePropertyFilter() {
        return new MyEncryptablePropertyFilter();

Notice that for this mechanism to work, you should not provide a custom EncryptablePropertyResolver and use the default resolver instead. If you provide custom resolver, you are responsible for the entire process of detecting and decrypting properties.

Filter out PropertySource classes from being introspected

Define a comma-separated list of fully-qualified class names to be skipped from introspection. This classes will not be wrapped/proxied by this plugin and thereby properties contained in them won't supported encryption/decryption:


Encryptable Properties cache refresh

Encrypted properties are cached within your application and in certain scenarios, like when using externalized configuration from a config server the properties need to be refreshed when they changed. For this jasypt-spring-boot registers a RefreshScopeRefreshedEventListener that listens to the following events by default to clear the encrypted properties cache:

public static final List<String> EVENT_CLASS_NAMES = Arrays.asList(

Should you need to register extra events that you would like to trigger an encrypted cache invalidation you can add them using the following property (separate by comma if more than one needed):


Maven Plugin

A Maven plugin is provided with a number of helpful utilities.

To use the plugin, just add the following to your pom.xml:


When using this plugin, the easiest way to provide your encryption password is via a system property i.e. -Djasypt.encryptor.password="the password".

By default, the plugin will consider encryption configuration in standard Spring boot configuration files under ./src/main/resources. You can also use system properties or environment variables to supply this configuration.

Keep in mind that the rest of your application code and resources are not available to the plugin because Maven plugins do not share a classpath with projects. If your application provides encryption configuration via a StringEncryptor bean then this will not be picked up.

In general, it is recommended to just rely on the secure default configuration.


To encrypt a single value run:

mvn jasypt:encrypt-value -Djasypt.encryptor.password="the password" -Djasypt.plugin.value="theValueYouWantToEncrypt"

To encrypt placeholders in src/main/resources/, simply wrap any string with DEC(...). For example:

sensitive.password=DEC(secret value)

Then run:

mvn jasypt:encrypt -Djasypt.encryptor.password="the password"

Which would edit that file in place resulting in:


The file name and location can be customised.


To decrypt a single value run:

mvn jasypt:decrypt-value -Djasypt.encryptor.password="the password" -Djasypt.plugin.value="DbG1GppXOsFa2G69PnmADvQFI3esceEhJYbaEIKCcEO5C85JEqGAhfcjFMGnoRFf"

To decrypt placeholders in src/main/resources/, simply wrap any string with ENC(...). For example:


This can be decrypted as follows:

mvn jasypt:decrypt -Djasypt.encryptor.password="the password"

Which would output the decrypted contents to the screen:


Note that outputting to the screen, rather than editing the file in place, is designed to reduce accidental committing of decrypted values to version control. When decrypting, you most likely just want to check what value has been encrypted, rather than wanting to permanently decrypt that value.


Changing the configuration for existing encrypted properties is slightly awkward using the encrypt/decrypt goals. You must run the decrypt goal using the old configuration, then copy the decrypted output back into the original file, then run the encrypt goal with the new configuration.

The re-encrypt goal simplifies this by re-encrypting a file in place. 2 sets of configuration must be provided. The new configuration is supplied in the same way as you would configure the other maven goals. The old configuration is supplied via system properties prefixed with "jasypt.plugin.old" instead of "jasypt.encryptor".

For example, to re-encrypt that was previously encrypted with the password OLD and then encrypt with the new password NEW:

mvn jasypt:reencrypt -Djasypt.plugin.old.password=OLD -Djasypt.encryptor.password=NEW

Note: All old configuration must be passed as system properties. Environment variables and Spring Boot configuration files are not supported.


Sometimes the default encryption configuration might change between versions of jasypt-spring-boot. You can automatically upgrade your encrypted properties to the new defaults with the upgrade goal. This will decrypt your file using the old default configuration and re-encrypt using the new default configuration.

mvn jasypt:upgrade -Djasypt.encryptor.password=EXAMPLE

You can also pass the system property -Djasypt.plugin.old.major-version to specify the version you are upgrading from. This will always default to the last major version where the configuration changed. Currently, the only major version where the defaults changed is version 2, so there is no need to set this property, but it is there for future use.


You can also decrypt a properties file and load all of its properties into memory and make them accessible to Maven. This is useful when you want to make encrypted properties available to other Maven plugins.

You can chain the goals of the later plugins directly after this one. For example, with flyway:

mvn jasypt:load flyway:migrate -Djasypt.encryptor.password="the password"

You can also specify a prefix for each property with -Djasypt.plugin.keyPrefix=example.. This helps to avoid potential clashes with other Maven properties.

Changing the file path

For all the above utilities, the path of the file you are encrypting/decrypting defaults to file:src/main/resources/

This can be changed using the -Djasypt.plugin.path system property.

You can encrypt a file in your test resources directory:

mvn jasypt:encrypt -Djasypt.plugin.path="file:src/main/test/" -Djasypt.encryptor.password="the password"

Or with a different name:

mvn jasypt:encrypt -Djasypt.plugin.path="file:src/main/resources/" -Djasypt.encryptor.password="the password"

Or with a different file type (the plugin supports any plain text file format including YAML):

mvn jasypt:encrypt -Djasypt.plugin.path="file:src/main/resources/application.yaml" -Djasypt.encryptor.password="the password"

Note that the load goal only supports .property files

Spring profiles and other spring config

You can override any spring config you support in your application when running the plugin, for instance selecting a given spring profile:

mvn jasypt:encrypt -Djasypt.encryptor.password="the password" 

Multi-module maven projects

To encrypt/decrypt properties in multi-module projects disable recursion with -N or --non-recursive on the maven command:

mvn jasypt:upgrade -Djasypt.plugin.path=file:server/src/test/resources/  -Djasypt.encryptor.password=supersecret -N

Asymmetric Encryption

jasypt-spring-boot:2.1.1 introduces a new feature to encrypt/decrypt properties using asymmetric encryption with a pair of private/public keys in DER or PEM formats.

Config Properties

The following are the configuration properties you can use to config asymmetric decryption of properties;

Key Default Value Description
jasypt.encryptor.privateKeyString null private key for decryption in String format
jasypt.encryptor.privateKeyLocation null location of the private key for decryption in spring resource format
jasypt.encryptor.privateKeyFormat DER Key format. DER or PEM

You should either use privateKeyString or privateKeyLocation, the String format takes precedence if set. To specify a private key in DER format with privateKeyString, please encode the key bytes to base64.

Note that jasypt.encryptor.password still takes precedences for PBE encryption over the asymmetric config.

Sample config

DER key as string

      privateKeyString: MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCtB/IYK8E52CYMZTpyIY9U0HqMewyKnRvSo6s+9VNIn/HSh9+MoBGiADa2MaPKvetS3CD3CgwGq/+LIQ1HQYGchRrSORizOcIp7KBx+Wc1riatV/tcpcuFLC1j6QJ7d2I+T7RA98Sx8X39orqlYFQVysTw/aTawX/yajx0UlTW3rNAY+ykeQ0CBHowtTxKM9nGcxLoQbvbYx1iG9JgAqye7TYejOpviOH+BpD8To2S8zcOSojIhixEfayay0gURv0IKJN2LP86wkpAuAbL+mohUq1qLeWdTEBrIRXjlnrWs1M66w0l/6JwaFnGOqEB6haMzE4JWZULYYpr2yKyoGCRAgMBAAECggEAQxURhs1v3D0wgx27ywO3zeoFmPEbq6G9Z6yMd5wk7cMUvcpvoNVuAKCUlY4pMjDvSvCM1znN78g/CnGF9FoxJb106Iu6R8HcxOQ4T/ehS+54kDvL999PSBIYhuOPUs62B/Jer9FfMJ2veuXb9sGh19EFCWlMwILEV/dX+MDyo1qQaNzbzyyyaXP8XDBRDsvPL6fPxL4r6YHywfcPdBfTc71/cEPksG8ts6um8uAVYbLIDYcsWopjVZY/nUwsz49xBCyRcyPnlEUJedyF8HANfVEO2zlSyRshn/F+rrjD6aKBV/yVWfTEyTSxZrBPl4I4Tv89EG5CwuuGaSagxfQpAQKBgQDXEe7FqXSaGk9xzuPazXy8okCX5pT6545EmqTP7/JtkMSBHh/xw8GPp+JfrEJEAJJl/ISbdsOAbU+9KAXuPmkicFKbodBtBa46wprGBQ8XkR4JQoBFj1SJf7Gj9ozmDycozO2Oy8a1QXKhHUPkbPQ0+w3efwoYdfE67ZodpFNhswKBgQDN9eaYrEL7YyD7951WiK0joq0BVBLK3rwO5+4g9IEEQjhP8jSo1DP+zS495t5ruuuuPsIeodA79jI8Ty+lpYqqCGJTE6muqLMJDiy7KlMpe0NZjXrdSh6edywSz3YMX1eAP5U31pLk0itMDTf2idGcZfrtxTLrpRffumowdJ5qqwKBgF+XZ+JRHDN2aEM0atAQr1WEZGNfqG4Qx4o0lfaaNs1+H+knw5kIohrAyvwtK1LgUjGkWChlVCXb8CoqBODMupwFAqKL/IDImpUhc/t5uiiGZqxE85B3UWK/7+vppNyIdaZL13a1mf9sNI/p2whHaQ+3WoW/P3R5z5uaifqM1EbDAoGAN584JnUnJcLwrnuBx1PkBmKxfFFbPeSHPzNNsSK3ERJdKOINbKbaX+7DlT4bRVbWvVj/jcw/c2Ia0QTFpmOdnivjefIuehffOgvU8rsMeIBsgOvfiZGx0TP3+CCFDfRVqjIBt3HAfAFyZfiP64nuzOERslL2XINafjZW5T0pZz8CgYAJ3UbEMbKdvIuK+uTl54R1Vt6FO9T5bgtHR4luPKoBv1ttvSC6BlalgxA0Ts/AQ9tCsUK2JxisUcVgMjxBVvG0lfq/EHpL0Wmn59SHvNwtHU2qx3Ne6M0nQtneCCfR78OcnqQ7+L+3YCMqYGJHNFSard+dewfKoPnWw0WyGFEWCg==

DER key as a resource location

      privateKeyLocation: classpath:private_key.der

PEM key as string

      privateKeyFormat: PEM
      privateKeyString: |-
          -----BEGIN PRIVATE KEY-----
          -----END PRIVATE KEY-----

PEM key as a resource location

      privateKeyFormat: PEM
      privateKeyLocation: classpath:private_key.pem

Encrypting properties

There is no program/command to encrypt properties using asymmetric keys but you can use the following code snippet to encrypt your properties:

DER Format

import com.ulisesbocchio.jasyptspringboot.encryptor.SimpleAsymmetricConfig;
import com.ulisesbocchio.jasyptspringboot.encryptor.SimpleAsymmetricStringEncryptor;
import org.jasypt.encryption.StringEncryptor;

public class PropertyEncryptor {
    public static void main(String[] args) {
        SimpleAsymmetricConfig config = new SimpleAsymmetricConfig();
        StringEncryptor encryptor = new SimpleAsymmetricStringEncryptor(config);
        String message = "chupacabras";
        String encrypted = encryptor.encrypt(message);
        System.out.printf("Encrypted message %s\n", encrypted);

PEM Format

import com.ulisesbocchio.jasyptspringboot.encryptor.SimpleAsymmetricConfig;
import com.ulisesbocchio.jasyptspringboot.encryptor.SimpleAsymmetricStringEncryptor;
import org.jasypt.encryption.StringEncryptor;
import static com.ulisesbocchio.jasyptspringboot.util.AsymmetricCryptography.KeyFormat.PEM;

public class PropertyEncryptor {
    public static void main(String[] args) {
        SimpleAsymmetricConfig config = new SimpleAsymmetricConfig();
        config.setPublicKey("-----BEGIN PUBLIC KEY-----\n" +
                "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArQfyGCvBOdgmDGU6ciGP\n" +
                "VNB6jHsMip0b0qOrPvVTSJ/x0offjKARogA2tjGjyr3rUtwg9woMBqv/iyENR0GB\n" +
                "nIUa0jkYsznCKeygcflnNa4mrVf7XKXLhSwtY+kCe3diPk+0QPfEsfF9/aK6pWBU\n" +
                "FcrE8P2k2sF/8mo8dFJU1t6zQGPspHkNAgR6MLU8SjPZxnMS6EG722MdYhvSYAKs\n" +
                "nu02Hozqb4jh/gaQ/E6NkvM3DkqIyIYsRH2smstIFEb9CCiTdiz/OsJKQLgGy/pq\n" +
                "IVKtai3lnUxAayEV45Z61rNTOusNJf+icGhZxjqhAeoWjMxOCVmVC2GKa9sisqBg\n" +
                "kQIDAQAB\n" +
                "-----END PUBLIC KEY-----\n");
        StringEncryptor encryptor = new SimpleAsymmetricStringEncryptor(config);
        String message = "chupacabras";
        String encrypted = encryptor.encrypt(message);
        System.out.printf("Encrypted message %s\n", encrypted);

AES 256-GCM Encryption

As of version 3.0.4, AES 256-GCM Encryption is supported. To use this type of encryption, set the property jasypt.encryptor.gcm-secret-key-string, jasypt.encryptor.gcm-secret-key-location or jasypt.encryptor.gcm-secret-key-password. The underlying algorithm used is AES/GCM/NoPadding so make sure that's installed in your JDK.
The SimpleGCMByteEncryptor uses a IVGenerator to encrypt properties. You can configure that with property jasypt.encryptor.iv-generator-classname if you don't want to use the default implementation RandomIvGenerator

Using a key

When using a key via jasypt.encryptor.gcm-secret-key-string or jasypt.encryptor.gcm-secret-key-location, make sure you encode your key in base64. The base64 string value could set to jasypt.encryptor.gcm-secret-key-string, or just can save it in a file and use a spring resource locator to that file in property jasypt.encryptor.gcm-secret-key-location. For instance:


Optionally, you can create your own StringEncryptor bean:

public StringEncryptor stringEncryptor() {
    SimpleGCMConfig config = new SimpleGCMConfig();
	return new SimpleGCMStringEncryptor(config);

Using a password

Alternatively, you can use a password to encrypt/decrypt properties using AES 256-GCM. The password is used to generate a key on startup, so there a few properties you need to/can set, these are:

#Optional, defaults to "1000"
#Optional, defaults to 0, no salt. If provided, specify the salt string in ba64 format
#Optional, defaults to PBKDF2WithHmacSHA256

Make sure this parameters are the same if you're encrypting your secrets with external tools. Optionally, you can create your own StringEncryptor bean:

public StringEncryptor stringEncryptor() {
    SimpleGCMConfig config = new SimpleGCMConfig();
	return new SimpleGCMStringEncryptor(config);

Encrypting properties with AES GCM-256

You can use the Maven Plugin or follow a similar strategy as explained in Asymmetric Encryption's Encrypting Properties

Demo App

The jasypt-spring-boot-demo-samples repo contains working Spring Boot app examples. The main jasypt-spring-boot-demo Demo app explicitly sets a System property with the encryption password before the app runs. To have a little more realistic scenario try removing the line where the system property is set, build the app with maven, and the run:

	java -jar target/jasypt-spring-boot-demo-0.0.1-SNAPSHOT.jar --jasypt.encryptor.password=password

And you'll be passing the encryption password as a command line argument. Run it like this:

	java -Djasypt.encryptor.password=password -jar target/jasypt-spring-boot-demo-0.0.1-SNAPSHOT.jar

And you'll be passing the encryption password as a System property.

If you need to pass this property as an Environment Variable you can accomplish this by creating or application.yml and adding:


or in YAML

        password: ${JASYPT_ENCRYPTOR_PASSWORD:}

basically what this does is to define the jasypt.encryptor.password property pointing to a different property JASYPT_ENCRYPTOR_PASSWORD that you can set with an Environment Variable, and you can also override via System Properties. This technique can also be used to translate property name/values for any other library you need. This is also available in the Demo app. So you can run the Demo app like this:

JASYPT_ENCRYPTOR_PASSWORD=password java -jar target/jasypt-spring-boot-demo-1.5-SNAPSHOT.jar

Note: When using Gradle as build tool, processResources task fails because of '$' character, to solve this you just need to scape this variable like this '$'.

Other Demo Apps

While jasypt-spring-boot-demo is a comprehensive Demo that showcases all possible ways to encrypt/decrypt properties, there are other multiple Demos that demo isolated scenarios.


Flattr this git repo

Related Awesome Lists
Top Programming Languages
Top Projects

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Java (396,946
Java 8 (396,946
Web (37,477
Security (31,930
Spring (28,662
Spring Boot (16,072
Encryption (11,950
Annotations (10,990
Properties (9,721
Encrypted (5,040
Springboot2 (533
Spring Boot Starter (411