Spring Cloud Config – Encrypt / Decrypt Configuration Properties

In the previous articles, we learned how to set up spring cloud configuration server using git repository and file system to store configuration property files.

In this article, we will learn how to encrypt/ decrypt the configuration properties in spring cloud configuration server.

By default, spring cloud configuration server stores all property values as plain text. Storing sensitive data in the form of plain text may not be a good idea.

Spring cloud configuration server supports both symmetric and asymmetric ways of encryption of configuration property values.

In this article, we will see how to use symmetric key(shared key) to encrypt our configuration properties.

Download and install Oracle JCE jars

Download the suitable version of oracle’s JCE jars from here.

In our case, we are using java 8 in our local windows machine, so we have downloaded the suitable version of zip file.

JCE oracle donload

Once the zip file is downloaded, unzip the file.

Open the currently installed java’s jre/lib/security folder. In our case, it is in C:/Program Files/Java/jdk1.8.0_73/jre/lib/security directory of windows system.

Take backup of local_policy.jar and US_export_policy.jar files. Replace these two files with the downloaded ones, which were unzipped earlier.

Enable encryption on config server

Check out previous article to learn how to set up spring cloud configuration server.

create a bootstrap.properties file under src/main/resources directory of configuration server application.

Add the property encrypt.key and set a symmetric key value. This is the shared key is used to encrypt or decrypt the configuration properties by spring cloud configuration server.


Encrypting and decrypting the properties

Once the configuration server is started, it exposes two HTTP POST end points : /encrypt and decrypt/.

We can use encrypt/ end point to encrypt properties and store it in our configuration properties file.

Open postman and hit the encrypt end point with the value to be encypted as shown below.

encrypt end point

Store the encrypted value in the configuration property as shown below. Notice the {cipher} prefix and value are stored within “”.

  prop: my test property
  encrypted-prop: "{cipher}010efcfa6df24c966e975213b5d2c0dc74a3bd485cbecc04dee915cbbf7b7d55"

By default, spring cloud config server decrypts the encrypted values while retrieving. If we start the configuration server and try to access the configuration property, we get the decrypted value as shown below.

decrypted value spring cloud config

Disable decryption of property on config server

We can disable decryption of the encrypted property values before serving by setting following property on bootstrap.properties file.


Access the cloud config server now, and we should be able to see encrypted property value.

encrypted configuration property

Setting up config client service to get the encrypted value

In our previous article, we created a simple-service to read the configuration properties from configuration server.

Let us modify it to enable decrypt ability for encrypted properties.

Make sure that decryption of property is disabled on configuration server first, which was explain in above section. 🙂

Add required dependency

To enable decryption capability on client side, we have to add spring-security-rsa dependency into application’s pom.xml file.

This jar contains required java code to decrypt the encrypted configuration property values.


Add the symmetric key to the configuration property

Open the bootstrap.properties file and add the symmetric key used before for encryption of our property in configuration server.


Update the client service to read the configuration

Add the following code to spring boot application class. Note that few of the code parts (@RefreshScope, etc) are explained in previous article.

Here, we have added one more string variable to read the encrypted property my.encrypted-prop from configuration server.

public class SimpleServiceApplication {

	@Value(value = "${my.prop}")
	private String myProp;
	@Value(value = "${my.encrypted-prop}")
	private String decryptedProp;
	public String getMyProp() {
		return "Prop value: " + myProp + " Decrypted Prop: " + decryptedProp;
	public static void main(String[] args) {
		SpringApplication.run(SimpleServiceApplication.class, args);

It’s all ready now!! Run the client service. 🙂 🙂

Make sure that configuration server is also up and running!! 😛

If we access our application, we should be able to see the decrypted message as shown below.


We have successfully encrypted the configuration property at configuration server and decrypted it back on configuration client service, using symmetric key.! Good job!! 🙂

Note : This is continuation of previous article, please read this and this articles to learn how to setup configuration server using file system and git repository.


In this article, we learned how to use a symmetric key to encrypt and decrypt property values on spring cloud configuration server.

Sample code is available on github. Happy coding!! 🙂 🙂

You may aslo interested in