user-icon Johannes Dilli
10. October 2017
timer-icon 4 min

Encrypted properties with Spring

It may happen, for whatever reason, that you must store credentials in your project. You could store the plain text credentials in your code repository, but this would allow everybody with access to the repository to use these credentials. Therefore, you should avoid this. Fortunately Spring has a solution for that and allows properties to be encrypted.

Example Application

To show this by an example, I created a small application which returns the value of a decrypted property via a REST interface. The encryption of the properties is not part of the code, I will do this with Spring Boot CLI. As a start I created a new project at with the following dependencies:

  • Cloud Bootstrap: To decrypt the properties
  • Web: To create a simple RestController

This is the complete pom.xml:


The Java code is really simple. It only returns the value of the property :

Encrypting the properties

Before we can add the encrypted property to, we first have to encrypt it. To do this, I use Spring Boot CLI:

Install Spring Boot CLI, then add the cloud extension:

Now it is possible to encrypt the value “mysecret” with the key “foo”:

The return value of this command is the encrypted property and we can add it to

The prefixed {cipher} allows Spring to recognize encrypted properties.

Decrypting the properties

If you try to start this application, it will fail with the following exception:

Spring cannot decrypt the property, because the decryption key is still missing. You have to provide the key via the property encrypt.key. As mentioned above, we still do not want to add a plain text password (the decryption key) to the file, because then it would be added to the code repository and this would finally lead the whole concept to absurdity. We need another way to provide the decryption key.: Spring can not only read property values from a properties file, you can also use environment variables. Therefore, I provide the key as an environment variable:

As a result, it is now possible to start the application and call the endpoint to receive the decrypted property:

As expected, this returns “mysecret” which is the decrypted value of the property.

In a real world example you wouldn’t start the application manually and provide the key as shown above. To automate this process, you can add the encryption key to your deployment infrastructure, and let it start the application with the key as an environment variable. In this way you can start the application, but you do not have to store the decryption key in the code repository.

A criticism of this approach could be that it is easier to provide the password directly as an environment variable instead of first encrypting it and then providing the decryption key. Since with both approaches you have to provide one environment variable. At least when there is more than one password, you will see the advantage of encrypted properties, because you have to set only one environment variable, independent of the number of passwords.


In this example I showed how to encrypt and decrypt properties with Spring without any additional infrastructure. With the help of encrypted property you can add credentials to property files without worrying that someone with access to your code repository is able to misuse them, because the decryption key is not stored in the code repository.

If you want to switch to Spring Cloud Config at any later date, it is also possible, because the encryption and decryption of properties in Spring Cloud Config Server work exactly the same.

Comment article


  1. Alice


    Thanks for the article.
    I am unable to figure out on how the decryption is done in the application.
    The application’s test endpoint returns the encrypted password from the properties.
    Can you please help?

    • Dilli Johannes

      Hi Alice,

      thank you for your feedback and I’m really sorry for my late reply.

      Did you add “Cloud Bootstrap”( to your project? If you forget this dependency, then your application will compile and start, but the properties will not be decrypted and the web endpoint will return “{cipher}711448026e2c6a977b2be1b22f13649cc938366397fbd345113d2a50e27c348f”.

  2. Ashish

    I get the error “Unable to initiaze due to invalid secret key.” when I try to encrypt, any idea ?

    spring encrypt mysecret –key foo –debug

    Could not create public key RSA Encryptor (String is not PEM encoded data, nor a public key encoded for ssh)
    Trying symmetric key
    Unable to initialize due to invalid secret key

    java.lang.IllegalArgumentException: Unable to initialize due to invalid secret key
    at org.springframework.boot.cli.command.CommandRunner.runAndHandleErrors(
    at org.springframework.boot.cli.SpringCli.main(
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(
    at java.lang.reflect.Method.invoke(
    at org.springframework.boot.loader.Launcher.launch(
    at org.springframework.boot.loader.Launcher.launch(
    at org.springframework.boot.loader.JarLauncher.main(
    Caused by: Illegal key size
    at javax.crypto.Cipher.checkCryptoPerm(
    at javax.crypto.Cipher.implInit(
    at javax.crypto.Cipher.chooseProvider(
    at javax.crypto.Cipher.init(
    at javax.crypto.Cipher.init(
    … 16 more

  3. Johannes Dilli

    Hi Caldash,

    the error message looks like it was caused by an Oracle database. Does the login work without encrypting the property?
    If Spring doesn’t complain that it cannot decrypt the property, it could be the same problem as Jay’s (see comment above). Did you install JCE?

    The decryption of the properties takes place at runtime. This means you can build the jar file even though encryption is not working properly. It should still be possible to overwrite properties via an environment variable.

  4. Caldash

    When I try to run the application I receive the following error code: ORA-01017: invalid username/password; logon denied
    instead of : java.lang.IllegalStateException: Cannot decrypt:

    Does this mean that my application is not acknowledging the cipher?

    Even if I get illegal state exception, will I be able to run mvn clean install on the app to generate jar file so that I can pass it the environment variable as a parameter?

    I have in the file the following db.password:

    spring.datasource.password= {cipher}GeneratedKey


  5. Jay

    Running the same application with no change on Ubuntu works (Windows 7 still not working).

  6. Jay

    I tried a copy and paste of the whole example but still getting error at start up

    Caused by: java.lang.UnsupportedOperationException: No decryption for FailsafeTextEncryptor. Did you configure the keystore correctly?

  7. Fazle Khan

    I figured out the problem.

    My archiva server was not correctly proxying requests to the spring repo so the libraries for Finchley were never being downloaded to my local maven repo.

    Once I removed the maven mirror to my archiva server the libraries were downloaded and the functionality worked as expected.


  8. Fazle Khan

    The problem seems to be with the latest versions of Spring (2.0.0.RELEASE) and Cloud-Config (Finchley.BUILD-SNAPSHOT) If I downgrade to the versions 1.5.10.RELEASE and Dalston.SR1 like in the sample pom everything works as expected. But, if I use the more recent versions the functionality breaks.

    I don’t want to downgrade Spring so while keeping it at 2.0.0.RELEASE I’ll explore if a more recent of Cloud-Config works.



    Demo project for Spring Boot





  9. Johannes Dilli

    Thank you for trying my example. The @EnableConfigServer annotation is part of the Spring Cloud Config Server package and should not be available on the classpath.

    Did you add spring-cloud-starter dependency? (I just added the complete pom. xml at the beginning of this article.) Without the spring-cloud-starter the application is not aware of encrypted properties and will return the original value of

    You can test this by starting the application without “ENCRYPT_KEY=foo”: If it starts, spring-cloud-starter is missing. If it fails with exception “java.lang.IllegalStateException: Cannot decrypt:”, it should be able to decrypt the property if the decryption key is available.

  10. Fazle Khan

    So it looks like the annotation @EnableConfigServer must be added to the and the configuration added to the for this to work

  11. Fazle Khan

    When I try to use your example the original value of ‘’ is returned by the rest controller. The application does not try and decrypt the property