How to encrypt passwords in a Spring Boot project using Jasypt

Spring boot is a Java-based framework to develop microservices in order to build enterprise-level applications.

You often come across developing projects where you have to connect to databases like MongoDB, etc and store the authentic password of DB connection in the config file of spring boot project (application.yml or application.properties). Even passwords or tokens required for Authorization to make other API call are also stored in the same way.

You can actually refrain from adding the actual password in the config file and use ‘jasypt-spring-boot‘, a java library. 

What is Jasypt?
Jasypt (Java Simplified Encryption), provides encryption support for property sources in Spring Boot Applications. It will help you to add basic encryption features to your projects with very fewer efforts and without writing any code with the help of a few additions in your project here and there. Springboot is a very powerful framework that will help you to add encryption capability without implementing any cryptography method. Jasypt is highly configurable.

Steps To Add Encryption Using Jasypt: 



  1. Add maven dependency of jasypt: In the pom.xml file, add maven dependency which can be found easily at maven repository.

  2. Add annotation in the Spring Boot Application main Configuration class: @EnableEncryptableProperties annotation needs to be added to make the application understand the encryptable properties across the entire Spring Environment.

  3. Decide a secret key to be used for encryption and decryption The secret key is used to encrypt the password and later can be used to decrypt the encrypted value to get the actual password. You can choose any value as the secret key.
  4. Generate Encrypted Key The encrypted key can be generated through either of the following 2 methods:
    1. Use the Jasypt Online Tool :

      This link can be used to generate an encrypted key by passing the chosen secret key.

      • The password to encrypt: abcd1234
      • Select type of encryption: Two-way encryption (PBEWithMD5AndDES by default is used)
      • Secret Key: hello (It can be any value)
      • Encrypted String: kNuS1WAezYE7cph7zXVTiPSQSdHTx7Kv

      You can actually use the tool to encrypt and check the encrypted key by decrypting it.

    2. Use the jasypt Jar: Download the jasypt jar file from the maven repository and run it through the following command:

      java -cp //jasypt-1.9.3/lib/jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input=”xyz123″ password=secretkey algorithm=PBEWithMD5AndDES

      Following is the significance of command-line parameters passed to run the jar:

      • input: abcd1234 (Actual password to be encrypted)
      • password: hello (the secret key chosen by you)
      • algorithm: PBEWithMD5AndDES (default algorithm used)
      • OUTPUT: scEjemHosjc/hjA8saT7Y6uC65bs0swg (Encrypted value of input)

      Note: Though the encrypted value i.e. Encrypted String & OUTPUT in 3.1 and 3.2 respectively are different, as the secret key is the same, the decryption will result in the same value (abcd1234) in both the cases.

  5. Add the encrypted key in the config file (application.yml or application.properties): Now instead of adding the actual password ie. “abcd1234” as per the above eg., you need to add the encrypted value generated by either of the above methods. But how will the jasypt dependency understand that the particular property of the config file needs to be decrypted? Hence to make Jasypt aware of your encrypted values, it uses a convention which you need to add in the following format:

    ENC(encrypted key): ENC(scEjemHosjc/hjA8saT7Y6uC65bs0swg)

    In the above image, the encryption of the database password is done. You can use it in any scenario where you have to hide the actual password.

  6. Secret key chosen needs to be passed to decrypt at runtime: Make the Jasypt aware of the secret key which you have used to form the encrypted value. Hence following are the different methods to pass the secret key: 
    1. Pass it as a property in the config file. Run the project as usual and the decryption would happen.

    2. Run the project with the following command:

      $mvn-Djasypt.encryptor.password=secretkey spring-boot:run

    3. Export Jasypt Encryptor Password:

      JASYPT_ENCRYPTOR_PASSWORD=hello

Attention reader! Don’t stop learning now. Get hold of all the important DSA concepts with the DSA Self Paced Course at a student-friendly price and become industry ready.

My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.