[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-10884":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":16,"forks30d":16,"starsTrendScore":17,"compositeScore":19,"rankGlobal":10,"rankLanguage":10,"license":20,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":23,"hasPages":21,"topics":24,"createdAt":10,"pushedAt":10,"updatedAt":39,"readmeContent":40,"aiSummary":41,"trendingCount":16,"starSnapshotCount":16,"syncStatus":17,"lastSyncTime":42,"discoverSource":43},10884,"jasypt-spring-boot","ulisesbocchio\u002Fjasypt-spring-boot","ulisesbocchio","Jasypt integration for Spring boot","",null,"Java",3082,544,85,67,0,2,5,30.21,"MIT License",false,"master",true,[25,26,27,28,29,30,31,32,33,34,35,36,37,38],"encryptable-properties","encryption","java","java-8","java8","security","spring","spring-boot","spring-boot-2","spring-boot-starter","spring-boot2","web","webapp","website","2026-06-12 02:02:28","# jasypt-spring-boot\n**[Jasypt](http:\u002F\u002Fwww.jasypt.org)** integration for Spring Boot 3.5+\n\n**Requirements:** Java 17+ and Spring Boot 3.5+\n\n[![Build Status](https:\u002F\u002Fapp.travis-ci.com\u002Fulisesbocchio\u002Fjasypt-spring-boot.svg?branch=master)](https:\u002F\u002Fapp.travis-ci.com\u002Fulisesbocchio\u002Fjasypt-spring-boot)\n[![Gitter](https:\u002F\u002Fbadges.gitter.im\u002FJoin%20Chat.svg)](https:\u002F\u002Fgitter.im\u002Fulisesbocchio\u002Fjasypt-spring-boot?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)\n[![Maven Central](https:\u002F\u002Fmaven-badges.herokuapp.com\u002Fmaven-central\u002Fcom.github.ulisesbocchio\u002Fjasypt-spring-boot\u002Fbadge.svg?style=plastic)](https:\u002F\u002Fmaven-badges.herokuapp.com\u002Fmaven-central\u002Fcom.github.ulisesbocchio\u002Fjasypt-spring-boot)\n\n\n[![Code Climate](https:\u002F\u002Fcodeclimate.com\u002Fgithub\u002Frsercano\u002Fmongoclient\u002Fbadges\u002Fgpa.svg)](https:\u002F\u002Fcodeclimate.com\u002Fgithub\u002Fulisesbocchio\u002Fjasypt-spring-boot)\n[![Codacy Badge](https:\u002F\u002Fapi.codacy.com\u002Fproject\u002Fbadge\u002FGrade\u002F6a75fc4e1d3f480f811b5339202400b5)](https:\u002F\u002Fwww.codacy.com\u002Fapp\u002Fulisesbocchio\u002Fjasypt-spring-boot?utm_source=github.com&utm_medium=referral&utm_content=ulisesbocchio\u002Fjasypt-spring-boot&utm_campaign=Badge_Grade)\n[![GitHub release](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Frelease\u002Fulisesbocchio\u002Fjasypt-spring-boot.svg)](https:\u002F\u002Fgithub.com\u002Fulisesbocchio\u002Fjasypt-spring-boot)\n[![Github All Releases](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fdownloads\u002Fulisesbocchio\u002Fjasypt-spring-boot\u002Ftotal.svg)](https:\u002F\u002Fgithub.com\u002Fulisesbocchio\u002Fjasypt-spring-boot)\n[![MIT License](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flicense-MIT-blue.svg?style=flat)](https:\u002F\u002Fgithub.com\u002Fulisesbocchio\u002Fjasypt-spring-boot\u002Fblob\u002Fmaster\u002FLICENSE)\n[![volkswagen status](https:\u002F\u002Fauchenberg.github.io\u002Fvolkswagen\u002Fvolkswargen_ci.svg?v=1)](https:\u002F\u002Fgithub.com\u002Fulisesbocchio\u002Fjasypt-spring-boot)\n\n[![Paypal](https:\u002F\u002Fwww.paypalobjects.com\u002Fen_US\u002Fi\u002Fbtn\u002Fbtn_donateCC_LG.gif)](https:\u002F\u002Fwww.paypal.com\u002Fcgi-bin\u002Fwebscr?cmd=_s-xclick&hosted_button_id=9J2V5HJT8AZF8)\n\n[![\"Buy Me A Coffee\"](https:\u002F\u002Fwww.buymeacoffee.com\u002Fassets\u002Fimg\u002Fcustom_images\u002Fyellow_img.png)](https:\u002F\u002Fwww.buymeacoffee.com\u002Fulisesbd)\n\nJasypt Spring Boot provides Encryption support for property sources in Spring Boot Applications.\u003Cbr\u002F>\nThere are 3 ways to integrate `jasypt-spring-boot` in your project:\n\n- Simply adding the starter jar `jasypt-spring-boot-starter` to your classpath if using `@SpringBootApplication` or `@EnableAutoConfiguration` will enable encryptable properties across the entire Spring Environment\n- Adding `jasypt-spring-boot` to your classpath and adding `@EnableEncryptableProperties` to your main Configuration class to enable encryptable properties across the entire Spring Environment\n- Adding `jasypt-spring-boot` to your classpath and declaring individual encryptable property sources with `@EncryptablePropertySource`\n## What's new?\n### Go to [Releases](https:\u002F\u002Fgithub.com\u002Fulisesbocchio\u002Fjasypt-spring-boot\u002Freleases)\n## What to do First?\nUse one of the following 3 methods (briefly explained above):\n\n1. Simply add the starter jar dependency to your project if your Spring Boot application uses `@SpringBootApplication` or `@EnableAutoConfiguration` and encryptable properties will be enabled across the entire Spring Environment (This means any system property, environment property, command line argument, application.properties, application-*.properties, yaml properties, and any other property sources can contain encrypted properties):\n\n\t```xml\n \u003Cdependency>\n \u003CgroupId>com.github.ulisesbocchio\u003C\u002FgroupId>\n \u003CartifactId>jasypt-spring-boot-starter\u003C\u002FartifactId>\n \u003Cversion>4.0.4\u003C\u002Fversion>\n \u003C\u002Fdependency>\n\t```\n2. IF you don't use `@SpringBootApplication` or `@EnableAutoConfiguration` Auto Configuration annotations then add this dependency to your project:\n\t\n\t```xml\n \u003Cdependency>\n \u003CgroupId>com.github.ulisesbocchio\u003C\u002FgroupId>\n \u003CartifactId>jasypt-spring-boot\u003C\u002FartifactId>\n \u003Cversion>4.0.4\u003C\u002Fversion>\n \u003C\u002Fdependency>\n\t```\n\n\tAnd then add `@EnableEncryptableProperties` to you Configuration class. For instance:\n\n\t```java\n @Configuration\n @EnableEncryptableProperties\n public class MyApplication {\n ...\n }\n\t```\n And encryptable properties will be enabled across the entire Spring Environment (This means any system property, environment property, command line argument, application.properties, yaml properties, and any other custom property sources can contain encrypted properties)\n\n3. IF you don't use `@SpringBootApplication` or `@EnableAutoConfiguration` Auto Configuration annotations and you don't want to enable encryptable properties across the entire Spring Environment, there's a third option. First add the following dependency to your project:\n\t\n\t```xml\n \u003Cdependency>\n \u003CgroupId>com.github.ulisesbocchio\u003C\u002FgroupId>\n \u003CartifactId>jasypt-spring-boot\u003C\u002FartifactId>\n \u003Cversion>4.0.4\u003C\u002Fversion>\n \u003C\u002Fdependency>\n\t```\n\tAnd then add as many `@EncryptablePropertySource` annotations as you want in your Configuration files. Just like you do with Spring's `@PropertySource` annotation. For instance:\n\t\n\t```java\n\t@Configuration\n\t@EncryptablePropertySource(name = \"EncryptedProperties\", value = \"classpath:encrypted.properties\")\n\tpublic class MyApplication {\n\t\t...\n\t}\n\t```\nConveniently, there's also a `@EncryptablePropertySources` annotation that one could use to group annotations of type `@EncryptablePropertySource` like this:\n\n```java\n\t@Configuration\n\t@EncryptablePropertySources({@EncryptablePropertySource(\"classpath:encrypted.properties\"),\n\t @EncryptablePropertySource(\"classpath:encrypted2.properties\")})\n\tpublic class MyApplication {\n\t\t...\n\t}\n```\n\nAlso, note that as of version 1.8, `@EncryptablePropertySource` supports YAML files\n\t\n## Custom Environment\nAs of version ~~1.7~~ 1.15, a 4th method of enabling encryptable properties exists for some special cases. A custom `ConfigurableEnvironment` class is provided: ~~`EncryptableEnvironment`~~ `StandardEncryptableEnvironment` and `StandardEncryptableServletEnvironment` that can be used with `SpringApplicationBuilder` to define the custom environment this way:\n\n```java\nnew SpringApplicationBuilder()\n .environment(new StandardEncryptableEnvironment())\n .sources(YourApplicationClass.class).run(args);\n\n```\n\nThis method would only require using a dependency for `jasypt-spring-boot`. No starter jar dependency is required. This method is useful for early access of encrypted properties on bootstrap. While not required in most scenarios could be useful when customizing Spring Boot's init behavior or integrating with certain capabilities that are configured very early, such as Logging configuration. For a concrete example, this method of enabling encryptable properties is the only one that works with Spring Properties replacement in `logback-spring.xml` files, using the `springProperty` tag. For instance:\n\n```xml\n\u003CspringProperty name=\"user\" source=\"db.user\"\u002F>\n\u003CspringProperty name=\"password\" source=\"db.password\"\u002F>\n\u003Cappender name=\"db\" class=\"ch.qos.logback.classic.db.DBAppender\">\n \u003CconnectionSource\n class=\"ch.qos.logback.core.db.DriverManagerConnectionSource\">\n \u003CdriverClass>org.postgresql.Driver\u003C\u002FdriverClass>\n \u003Curl>jdbc:postgresql:\u002F\u002Flocalhost:5432\u002Fsimple\u003C\u002Furl>\n \u003Cuser>${user}\u003C\u002Fuser>\n \u003Cpassword>${password}\u003C\u002Fpassword>\n \u003C\u002FconnectionSource>\n\u003C\u002Fappender>\n```\n\nThis mechanism could be used for instance (as shown) to initialize Database Logging Appender that require sensitive credentials to be passed.\nAlternatively, if a custom `StringEncryptor` is needed to be provided, a static builder method is provided `StandardEncryptableEnvironment#builder` for customization (other customizations are possible):\n\n```java\nStandardEncryptableEnvironment\n .builder()\n .encryptor(new MyEncryptor())\n .build()\n```\n\n## How everything Works?\n\nThis will trigger some configuration to be loaded that basically does 2 things:\n\n1. It registers a Spring post processor that decorates all PropertySource objects contained in the Spring Environment so they are \"encryption aware\" and detect when properties are encrypted following jasypt's property convention.\n2. It defines a default `StringEncryptor` that can be configured through regular properties, system properties, or command line arguments.\n\n## Where do I put my encrypted properties?\nWhen using METHODS 1 and 2 you can define encrypted properties in any of the PropertySource contained in the Environment. For instance, using the @PropertySource annotation:\n\n```java\n @SpringBootApplication\n @EnableEncryptableProperties\n @PropertySource(name=\"EncryptedProperties\", value = \"classpath:encrypted.properties\")\n public class MyApplication {\n ...\n }\n```\nAnd your encrypted.properties file would look something like this:\n\n```properties\n\tsecret.property=ENC(nrmZtkF7T0kjG\u002FVodDvBw93Ct8EgjCA+)\n```\nNow when you do `environment.getProperty(\"secret.property\")` or use `@Value(\"${secret.property}\")` what you get is the decrypted version of `secret.property`.\u003Cbr\u002F>\nWhen using METHOD 3 (`@EncryptablePropertySource`) then you can access the encrypted properties the same way, the only difference is that you must put the properties in the resource that was declared within the `@EncryptablePropertySource` annotation so that the properties can be decrypted properly.\n\n## Password-based Encryption Configuration\nJasypt uses an `StringEncryptor` to decrypt properties. For all 3 methods, if no custom `StringEncryptor` (see the [Custom Encryptor](#customEncryptor) section for details) is found in the Spring Context, one is created automatically that can be configured through the following properties (System, properties file, command line arguments, environment variable, etc.):\n\n\u003Ctable border=\"1\">\n \u003Ctr>\n \u003Ctd>Key\u003C\u002Ftd>\u003Ctd>Required\u003C\u002Ftd>\u003Ctd>Default Value\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>jasypt.encryptor.password\u003C\u002Ftd>\u003Ctd>\u003Cb>True\u003C\u002Fb>\u003C\u002Ftd>\u003Ctd> - \u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>jasypt.encryptor.algorithm\u003C\u002Ftd>\u003Ctd>False\u003C\u002Ftd>\u003Ctd>PBEWITHHMACSHA512ANDAES_256\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>jasypt.encryptor.key-obtention-iterations\u003C\u002Ftd>\u003Ctd>False\u003C\u002Ftd>\u003Ctd>1000\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>jasypt.encryptor.pool-size\u003C\u002Ftd>\u003Ctd>False\u003C\u002Ftd>\u003Ctd>1\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>jasypt.encryptor.provider-name\u003C\u002Ftd>\u003Ctd>False\u003C\u002Ftd>\u003Ctd>SunJCE\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>jasypt.encryptor.provider-class-name\u003C\u002Ftd>\u003Ctd>False\u003C\u002Ftd>\u003Ctd>null\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>jasypt.encryptor.salt-generator-classname\u003C\u002Ftd>\u003Ctd>False\u003C\u002Ftd>\u003Ctd>org.jasypt.salt.RandomSaltGenerator\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>jasypt.encryptor.iv-generator-classname\u003C\u002Ftd>\u003Ctd>False\u003C\u002Ftd>\u003Ctd>org.jasypt.iv.RandomIvGenerator\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>jasypt.encryptor.string-output-type\u003C\u002Ftd>\u003Ctd>False\u003C\u002Ftd>\u003Ctd>base64\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>jasypt.encryptor.proxy-property-sources\u003C\u002Ftd>\u003Ctd>False\u003C\u002Ftd>\u003Ctd>false\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>jasypt.encryptor.skip-property-sources\u003C\u002Ftd>\u003Ctd>False\u003C\u002Ftd>\u003Ctd>empty list\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003C\u002Ftable>\n\nThe only property required is the encryption password, the rest could be left to use default values. While all this properties could be declared in a properties file, the encryptor password should not be stored in a property file, it should rather be passed as system property, command line argument, or environment variable and as far as its name is `jasypt.encryptor.password` it'll work.\u003Cbr\u002F>\n\nThe last property, `jasypt.encryptor.proxyPropertySources` is used to indicate `jasyp-spring-boot` how property values are going to be intercepted for decryption. The default value, `false` uses custom wrapper implementations of `PropertySource`, `EnumerablePropertySource`, and `MapPropertySource`. When `true` is specified for this property, the interception mechanism will use CGLib proxies on each specific `PropertySource` implementation. This may be useful on some scenarios where the type of the original `PropertySource` must be preserved. \n\n## \u003Ca name=\"customEncryptor\">\u003C\u002Fa>Use you own Custom Encryptor\nFor custom configuration of the encryptor and the source of the encryptor password you can always define your own StringEncryptor bean in your Spring Context, and the default encryptor will be ignored. For instance:\n\n```java\n @Bean(\"jasyptStringEncryptor\")\n public StringEncryptor stringEncryptor() {\n PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();\n SimpleStringPBEConfig config = new SimpleStringPBEConfig();\n config.setPassword(\"password\");\n config.setAlgorithm(\"PBEWITHHMACSHA512ANDAES_256\");\n config.setKeyObtentionIterations(\"1000\");\n config.setPoolSize(\"1\");\n config.setProviderName(\"SunJCE\");\n config.setSaltGeneratorClassName(\"org.jasypt.salt.RandomSaltGenerator\");\n config.setIvGeneratorClassName(\"org.jasypt.iv.RandomIvGenerator\");\n config.setStringOutputType(\"base64\");\n encryptor.setConfig(config);\n return encryptor;\n }\n```\nNotice that the bean name is required, as `jasypt-spring-boot` detects custom String Encyptors by name as of version `1.5`. The default bean name is:\n\n``` jasyptStringEncryptor ```\n\nBut one can also override this by defining property:\n\n``` jasypt.encryptor.bean ```\n\nSo for instance, if you define `jasypt.encryptor.bean=encryptorBean` then you would define your custom encryptor with that name:\n\n```java\n @Bean(\"encryptorBean\")\n public StringEncryptor stringEncryptor() {\n ...\n }\n```\n\n## Custom Property Detector, Prefix, Suffix and\u002For Resolver\n\nAs of `jasypt-spring-boot-1.10` there are new extensions points. `EncryptablePropertySource` now uses `EncryptablePropertyResolver` to resolve all properties:\n\n```java\npublic interface EncryptablePropertyResolver {\n String resolvePropertyValue(String value);\n}\n```\n\nImplementations of this interface are responsible of both **detecting** and **decrypting** properties. The default implementation, `DefaultPropertyResolver` uses the before mentioned\n`StringEncryptor` and a new `EncryptablePropertyDetector`.\n\n### Provide a Custom `EncryptablePropertyDetector`\n\nYou can override the default implementation by providing a Bean of type `EncryptablePropertyDetector` with name `encryptablePropertyDetector` or if you wanna provide\nyour own bean name, override property `jasypt.encryptor.property.detector-bean` and specify the name you wanna give the bean. When providing this, you'll be responsible for\ndetecting encrypted properties.\nExample:\n\n```java\nprivate static class MyEncryptablePropertyDetector implements EncryptablePropertyDetector {\n @Override\n public boolean isEncrypted(String value) {\n if (value != null) {\n return value.startsWith(\"ENC@\");\n }\n return false;\n }\n\n @Override\n public String unwrapEncryptedValue(String value) {\n return value.substring(\"ENC@\".length());\n }\n}\n```\n\n```java\n@Bean(name = \"encryptablePropertyDetector\")\n public EncryptablePropertyDetector encryptablePropertyDetector() {\n return new MyEncryptablePropertyDetector();\n }\n```\n\n### Provide a Custom Encrypted Property `prefix` and `suffix`\n\nIf all you want to do is to have different prefix\u002Fsuffix for encrypted properties, you can keep using all the default implementations\nand just override the following properties in `application.properties` (or `application.yml`):\n\n```YAML\njasypt:\n encryptor:\n property:\n prefix: \"ENC@[\"\n suffix: \"]\"\n```\n\n### Provide a Custom `EncryptablePropertyResolver`\n\nYou can override the default implementation by providing a Bean of type `EncryptablePropertyResolver` with name `encryptablePropertyResolver` or if you wanna provide\nyour own bean name, override property `jasypt.encryptor.property.resolver-bean` and specify the name you wanna give the bean. When providing this, you'll be responsible for\ndetecting and decrypting encrypted properties.\nExample:\n\n```java\n class MyEncryptablePropertyResolver implements EncryptablePropertyResolver {\n \n \n private final PooledPBEStringEncryptor encryptor;\n \n public MyEncryptablePropertyResolver(char[] password) {\n this.encryptor = new PooledPBEStringEncryptor();\n SimpleStringPBEConfig config = new SimpleStringPBEConfig();\n config.setPasswordCharArray(password);\n config.setAlgorithm(\"PBEWITHHMACSHA512ANDAES_256\");\n config.setKeyObtentionIterations(\"1000\");\n config.setPoolSize(1);\n config.setProviderName(\"SunJCE\");\n config.setSaltGeneratorClassName(\"org.jasypt.salt.RandomSaltGenerator\");\n config.setIvGeneratorClassName(\"org.jasypt.iv.RandomIvGenerator\");\n config.setStringOutputType(\"base64\");\n encryptor.setConfig(config);\n }\n \n @Override\n public String resolvePropertyValue(String value) {\n if (value != null && value.startsWith(\"{cipher}\")) {\n return encryptor.decrypt(value.substring(\"{cipher}\".length()));\n }\n return value;\n }\n }\n```\n\n```java\n@Bean(name=\"encryptablePropertyResolver\")\n EncryptablePropertyResolver encryptablePropertyResolver(@Value(\"${jasypt.encryptor.password}\") String password) {\n return new MyEncryptablePropertyResolver(password.toCharArray());\n }\n```\n\nNotice that by overriding `EncryptablePropertyResolver`, any other configuration or overrides you may have for prefixes, suffixes, \n`EncryptablePropertyDetector` and `StringEncryptor` will stop working since the Default resolver is what uses them. You'd have to\nwire all that stuff yourself. Fortunately, you don't have to override this bean in most cases, the previous options should suffice.\n\nBut as you can see in the implementation, the detection and decryption of the encrypted properties are internal to `MyEncryptablePropertyResolver`\n\n## Using Filters\n\n`jasypt-spring-boot:2.1.0` introduces a new feature to specify property filters. The filter is part of the `EncryptablePropertyResolver` API\nand allows you to determine which properties or property sources to contemplate for decryption. This is, before even examining the actual\nproperty value to search for, or try to, decrypt it. For instance, by default, all properties which name start with `jasypt.encryptor`\nare excluded from examination. This is to avoid circular dependencies at load time when the library beans are configured.\n\n### DefaultPropertyFilter properties\n\nBy default, the `DefaultPropertyResolver` uses `DefaultPropertyFilter`, which allows you to specify the following string pattern lists:\n\n* jasypt.encryptor.property.filter.include-sources: Specify the property sources name patterns to be included for decryption\n* jasypt.encryptor.property.filter.exclude-sources: Specify the property sources name patterns to be EXCLUDED for decryption\n* jasypt.encryptor.property.filter.include-names: Specify the property name patterns to be included for decryption\n* jasypt.encryptor.property.filter.exclude-names: Specify the property name patterns to be EXCLUDED for decryption\n\n### Provide a custom `EncryptablePropertyFilter`\n\nYou can override the default implementation by providing a Bean of type `EncryptablePropertyFilter` with name `encryptablePropertyFilter` or if you wanna provide\nyour own bean name, override property `jasypt.encryptor.property.filter-bean` and specify the name you wanna give the bean. When providing this, you'll be responsible for\ndetecting properties and\u002For property sources you want to contemplate for decryption.\nExample:\n\n```java\n class MyEncryptablePropertyFilter implements EncryptablePropertyFilter {\n \n public boolean shouldInclude(PropertySource\u003C?> source, String name) {\n return name.startsWith('encrypted.');\n }\n }\n```\n\n```java\n@Bean(name=\"encryptablePropertyFilter\")\n EncryptablePropertyFilter encryptablePropertyFilter() {\n return new MyEncryptablePropertyFilter();\n }\n```\n\nNotice that for this mechanism to work, you should not provide a custom `EncryptablePropertyResolver` and use the default\nresolver instead. If you provide custom resolver, you are responsible for the entire process of detecting and decrypting\nproperties.\n\n## Filter out `PropertySource` classes from being introspected\nDefine a comma-separated list of fully-qualified class names to be skipped from introspection. This classes will not be\nwrapped\u002Fproxied by this plugin and thereby properties contained in them won't be supported encryption\u002Fdecryption:\n\n```properties\njasypt.encryptor.skip-property-sources=org.springframework.boot.env.RandomValuePropertySource,org.springframework.boot.ansi.AnsiPropertySource\n```\n## Encryptable Properties cache refresh\nEncrypted properties are cached within your application and in certain scenarios, like when using externalized configuration\nfrom a config server the properties need to be refreshed when they changed. For this `jasypt-spring-boot` registers a\n`RefreshScopeRefreshedEventListener` that listens to the following events by default to clear the encrypted properties cache:\n```java\npublic static final List\u003CString> EVENT_CLASS_NAMES = Arrays.asList(\n \"org.springframework.cloud.context.scope.refresh.RefreshScopeRefreshedEvent\",\n \"org.springframework.cloud.context.environment.EnvironmentChangeEvent\",\n \"org.springframework.boot.web.servlet.context.ServletWebServerInitializedEvent\"\n );\n```\nShould you need to register extra events that you would like to trigger an encrypted cache invalidation you can add them\nusing the following property (separate by comma if more than one needed):\n```properties\njasypt.encryptor.refreshed-event-classes=org.springframework.boot.context.event.ApplicationStartedEvent\n```\n\n## Maven Plugin\n\nA Maven plugin is provided with a number of helpful utilities.\n\nTo use the plugin, just add the following to your pom.xml:\n\n```xml\n\u003Cbuild>\n \u003Cplugins>\n \u003Cplugin>\n \u003CgroupId>com.github.ulisesbocchio\u003C\u002FgroupId>\n \u003CartifactId>jasypt-maven-plugin\u003C\u002FartifactId>\n \u003Cversion>4.0.4\u003C\u002Fversion>\n \u003C\u002Fplugin>\n \u003C\u002Fplugins>\n\u003C\u002Fbuild>\n```\n\nWhen using this plugin, the easiest way to provide your encryption password is via a system property i.e.\n-Djasypt.encryptor.password=\"the password\".\n\nBy default, the plugin will consider encryption configuration in standard Spring boot configuration files under\n.\u002Fsrc\u002Fmain\u002Fresources. You can also use system properties or environment variables to supply this configuration.\n\nKeep in mind that the rest of your application code and resources are not available to the plugin because Maven plugins\ndo not share a classpath with projects. If your application provides encryption configuration via a StringEncryptor\nbean then this will not be picked up.\n\nIn general, it is recommended to just rely on the secure default configuration.\n\n### Encryption\n\nTo encrypt a single value run:\n\n```bash\nmvn jasypt:encrypt-value -Djasypt.encryptor.password=\"the password\" -Djasypt.plugin.value=\"theValueYouWantToEncrypt\"\n```\n\nTo encrypt placeholders in `src\u002Fmain\u002Fresources\u002Fapplication.properties`, simply wrap any string with `DEC(...)`.\nFor example:\n\n```properties\nsensitive.password=DEC(secret value)\nregular.property=example\n```\n\nThen run:\n\n```bash\nmvn jasypt:encrypt -Djasypt.encryptor.password=\"the password\"\n```\n\nWhich would edit that file in place resulting in:\n\n```properties\nsensitive.password=ENC(encrypted)\nregular.property=example\n```\n\nThe file name and location can be customised.\n\n### Decryption\n\nTo decrypt a single value run:\n\n```bash\nmvn jasypt:decrypt-value -Djasypt.encryptor.password=\"the password\" -Djasypt.plugin.value=\"DbG1GppXOsFa2G69PnmADvQFI3esceEhJYbaEIKCcEO5C85JEqGAhfcjFMGnoRFf\"\n```\n\nTo decrypt placeholders in `src\u002Fmain\u002Fresources\u002Fapplication.properties`, simply wrap any string with `ENC(...)`. For\nexample:\n\n```properties\nsensitive.password=ENC(encrypted)\nregular.property=example\n```\n\nThis can be decrypted as follows:\n\n```bash\nmvn jasypt:decrypt -Djasypt.encryptor.password=\"the password\"\n```\n\nWhich would output the decrypted contents to the screen:\n\n```properties\nsensitive.password=DEC(decrypted)\nregular.property=example\n```\n\nNote that outputting to the screen, rather than editing the file in place, is designed to reduce\naccidental committing of decrypted values to version control. When decrypting, you most likely\njust want to check what value has been encrypted, rather than wanting to permanently decrypt that\nvalue.\n\n### Re-encryption\nChanging the configuration for existing encrypted properties is slightly awkward using the encrypt\u002Fdecrypt goals. You\nmust run the decrypt goal using the old configuration, then copy the decrypted output back into the original file, then\nrun the encrypt goal with the new configuration.\n\nThe re-encrypt goal simplifies this by re-encrypting a file in place. 2 sets of configuration must be provided. The\nnew configuration is supplied in the same way as you would configure the other maven goals. The old configuration\nis supplied via system properties prefixed with \"jasypt.plugin.old\" instead of \"jasypt.encryptor\".\n\nFor example, to re-encrypt application.properties that was previously encrypted with the password OLD and then\nencrypt with the new password NEW:\n\n```bash\nmvn jasypt:reencrypt -Djasypt.plugin.old.password=OLD -Djasypt.encryptor.password=NEW\n```\n\n*Note: All old configuration must be passed as system properties. Environment variables and Spring Boot configuration\nfiles are not supported.*\n\n### Upgrade\nSometimes the default encryption configuration might change between versions of jasypt-spring-boot. You can\nautomatically upgrade your encrypted properties to the new defaults with the upgrade goal. This will decrypt your\napplication.properties file using the old default configuration and re-encrypt using the new default configuration.\n\n```bash\nmvn jasypt:upgrade -Djasypt.encryptor.password=EXAMPLE\n```\n\nYou can also pass the system property `-Djasypt.plugin.old.major-version` to specify the version you are upgrading from.\nThis will always default to the last major version where the configuration changed. Currently, the only major version\nwhere the defaults changed is version 2, so there is no need to set this property, but it is there for future use.\n\n### Load\nYou can also decrypt a properties file and load all of its properties into memory and make them accessible to Maven. This is useful when you want to make encrypted properties available to other Maven plugins.\n\nYou can chain the goals of the later plugins directly after this one. For example, with flyway:\n\n```bash\nmvn jasypt:load flyway:migrate -Djasypt.encryptor.password=\"the password\"\n```\n\nYou can also specify a prefix for each property with `-Djasypt.plugin.keyPrefix=example.`. This\nhelps to avoid potential clashes with other Maven properties.\n\n### Changing the file path\n\nFor all the above utilities, the path of the file you are encrypting\u002Fdecrypting defaults to\n`file:src\u002Fmain\u002Fresources\u002Fapplication.properties`.\n\nThis can be changed using the `-Djasypt.plugin.path` system property.\n\nYou can encrypt a file in your test resources directory:\n\n```bash\nmvn jasypt:encrypt -Djasypt.plugin.path=\"file:src\u002Fmain\u002Ftest\u002Fapplication.properties\" -Djasypt.encryptor.password=\"the password\"\n```\n\nOr with a different name:\n\n```bash\nmvn jasypt:encrypt -Djasypt.plugin.path=\"file:src\u002Fmain\u002Fresources\u002Fflyway.properties\" -Djasypt.encryptor.password=\"the password\"\n```\n\nOr with a different file type (the plugin supports any plain text file format including YAML):\n\n```bash\nmvn jasypt:encrypt -Djasypt.plugin.path=\"file:src\u002Fmain\u002Fresources\u002Fapplication.yaml\" -Djasypt.encryptor.password=\"the password\"\n```\n\n**Note that the load goal only supports .property files**\n\n### Spring profiles and other spring config\nYou can override any spring config you support in your application when running the plugin, for instance selecting a given spring profile:\n \n```bash\nmvn jasypt:encrypt -Dspring.profiles.active=cloud -Djasypt.encryptor.password=\"the password\" \n```\n### Multi-module maven projects\nTo encrypt\u002Fdecrypt properties in multi-module projects disable recursion with `-N` or `--non-recursive` on the maven command:\n```bash\nmvn jasypt:upgrade -Djasypt.plugin.path=file:server\u002Fsrc\u002Ftest\u002Fresources\u002Fapplication-test.properties -Djasypt.encryptor.password=supersecret -N\n```\n\n## Asymmetric Encryption\n`jasypt-spring-boot:2.1.1` introduces a new feature to encrypt\u002Fdecrypt properties using asymmetric encryption with a pair of private\u002Fpublic keys\nin DER or PEM formats.\n\n### Config Properties\n\nThe following are the configuration properties you can use to config asymmetric decryption of properties;\n\n\u003Ctable border=\"1\">\n \u003Ctr>\n \u003Ctd>Key\u003C\u002Ftd>\u003Ctd>Default Value\u003C\u002Ftd>\u003Ctd>Description\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>jasypt.encryptor.privateKeyString\u003C\u002Ftd>\u003Ctd>null\u003C\u002Ftd>\u003Ctd> private key for decryption in String format\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>jasypt.encryptor.privateKeyLocation\u003C\u002Ftd>\u003Ctd>null\u003C\u002Ftd>\u003Ctd>location of the private key for decryption in spring resource format\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>jasypt.encryptor.privateKeyFormat\u003C\u002Ftd>\u003Ctd>DER\u003C\u002Ftd>\u003Ctd>Key format. DER or PEM\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003C\u002Ftable>\n \n You should either use `privateKeyString` or `privateKeyLocation`, the String format takes precedence if set.\n To specify a private key in DER format with `privateKeyString`, please encode the key bytes to `base64`.\n \n __Note__ that `jasypt.encryptor.password` still takes precedences for PBE encryption over the asymmetric config. \n\n### Sample config\n\n#### DER key as string\n```yaml\njasypt:\n encryptor:\n privateKeyString: MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCtB\u002FIYK8E52CYMZTpyIY9U0HqMewyKnRvSo6s+9VNIn\u002FHSh9+MoBGiADa2MaPKvetS3CD3CgwGq\u002F+LIQ1HQYGchRrSORizOcIp7KBx+Wc1riatV\u002FtcpcuFLC1j6QJ7d2I+T7RA98Sx8X39orqlYFQVysTw\u002FaTawX\u002Fyajx0UlTW3rNAY+ykeQ0CBHowtTxKM9nGcxLoQbvbYx1iG9JgAqye7TYejOpviOH+BpD8To2S8zcOSojIhixEfayay0gURv0IKJN2LP86wkpAuAbL+mohUq1qLeWdTEBrIRXjlnrWs1M66w0l\u002F6JwaFnGOqEB6haMzE4JWZULYYpr2yKyoGCRAgMBAAECggEAQxURhs1v3D0wgx27ywO3zeoFmPEbq6G9Z6yMd5wk7cMUvcpvoNVuAKCUlY4pMjDvSvCM1znN78g\u002FCnGF9FoxJb106Iu6R8HcxOQ4T\u002FehS+54kDvL999PSBIYhuOPUs62B\u002FJer9FfMJ2veuXb9sGh19EFCWlMwILEV\u002FdX+MDyo1qQaNzbzyyyaXP8XDBRDsvPL6fPxL4r6YHywfcPdBfTc71\u002FcEPksG8ts6um8uAVYbLIDYcsWopjVZY\u002FnUwsz49xBCyRcyPnlEUJedyF8HANfVEO2zlSyRshn\u002FF+rrjD6aKBV\u002FyVWfTEyTSxZrBPl4I4Tv89EG5CwuuGaSagxfQpAQKBgQDXEe7FqXSaGk9xzuPazXy8okCX5pT6545EmqTP7\u002FJtkMSBHh\u002Fxw8GPp+JfrEJEAJJl\u002FISbdsOAbU+9KAXuPmkicFKbodBtBa46wprGBQ8XkR4JQoBFj1SJf7Gj9ozmDycozO2Oy8a1QXKhHUPkbPQ0+w3efwoYdfE67ZodpFNhswKBgQDN9eaYrEL7YyD7951WiK0joq0BVBLK3rwO5+4g9IEEQjhP8jSo1DP+zS495t5ruuuuPsIeodA79jI8Ty+lpYqqCGJTE6muqLMJDiy7KlMpe0NZjXrdSh6edywSz3YMX1eAP5U31pLk0itMDTf2idGcZfrtxTLrpRffumowdJ5qqwKBgF+XZ+JRHDN2aEM0atAQr1WEZGNfqG4Qx4o0lfaaNs1+H+knw5kIohrAyvwtK1LgUjGkWChlVCXb8CoqBODMupwFAqKL\u002FIDImpUhc\u002Ft5uiiGZqxE85B3UWK\u002F7+vppNyIdaZL13a1mf9sNI\u002Fp2whHaQ+3WoW\u002FP3R5z5uaifqM1EbDAoGAN584JnUnJcLwrnuBx1PkBmKxfFFbPeSHPzNNsSK3ERJdKOINbKbaX+7DlT4bRVbWvVj\u002Fjcw\u002Fc2Ia0QTFpmOdnivjefIuehffOgvU8rsMeIBsgOvfiZGx0TP3+CCFDfRVqjIBt3HAfAFyZfiP64nuzOERslL2XINafjZW5T0pZz8CgYAJ3UbEMbKdvIuK+uTl54R1Vt6FO9T5bgtHR4luPKoBv1ttvSC6BlalgxA0Ts\u002FAQ9tCsUK2JxisUcVgMjxBVvG0lfq\u002FEHpL0Wmn59SHvNwtHU2qx3Ne6M0nQtneCCfR78OcnqQ7+L+3YCMqYGJHNFSard+dewfKoPnWw0WyGFEWCg==\n\n```\n\n#### DER key as a resource location\n```yaml\njasypt:\n encryptor:\n privateKeyLocation: classpath:private_key.der\n\n```\n\n#### PEM key as string\n```yaml\njasypt:\n encryptor:\n privateKeyFormat: PEM\n privateKeyString: |-\n -----BEGIN PRIVATE KEY-----\n MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCtB\u002FIYK8E52CYM\n ZTpyIY9U0HqMewyKnRvSo6s+9VNIn\u002FHSh9+MoBGiADa2MaPKvetS3CD3CgwGq\u002F+L\n IQ1HQYGchRrSORizOcIp7KBx+Wc1riatV\u002FtcpcuFLC1j6QJ7d2I+T7RA98Sx8X39\n orqlYFQVysTw\u002FaTawX\u002Fyajx0UlTW3rNAY+ykeQ0CBHowtTxKM9nGcxLoQbvbYx1i\n G9JgAqye7TYejOpviOH+BpD8To2S8zcOSojIhixEfayay0gURv0IKJN2LP86wkpA\n uAbL+mohUq1qLeWdTEBrIRXjlnrWs1M66w0l\u002F6JwaFnGOqEB6haMzE4JWZULYYpr\n 2yKyoGCRAgMBAAECggEAQxURhs1v3D0wgx27ywO3zeoFmPEbq6G9Z6yMd5wk7cMU\n vcpvoNVuAKCUlY4pMjDvSvCM1znN78g\u002FCnGF9FoxJb106Iu6R8HcxOQ4T\u002FehS+54\n kDvL999PSBIYhuOPUs62B\u002FJer9FfMJ2veuXb9sGh19EFCWlMwILEV\u002FdX+MDyo1qQ\n aNzbzyyyaXP8XDBRDsvPL6fPxL4r6YHywfcPdBfTc71\u002FcEPksG8ts6um8uAVYbLI\n DYcsWopjVZY\u002FnUwsz49xBCyRcyPnlEUJedyF8HANfVEO2zlSyRshn\u002FF+rrjD6aKB\n V\u002FyVWfTEyTSxZrBPl4I4Tv89EG5CwuuGaSagxfQpAQKBgQDXEe7FqXSaGk9xzuPa\n zXy8okCX5pT6545EmqTP7\u002FJtkMSBHh\u002Fxw8GPp+JfrEJEAJJl\u002FISbdsOAbU+9KAXu\n PmkicFKbodBtBa46wprGBQ8XkR4JQoBFj1SJf7Gj9ozmDycozO2Oy8a1QXKhHUPk\n bPQ0+w3efwoYdfE67ZodpFNhswKBgQDN9eaYrEL7YyD7951WiK0joq0BVBLK3rwO\n 5+4g9IEEQjhP8jSo1DP+zS495t5ruuuuPsIeodA79jI8Ty+lpYqqCGJTE6muqLMJ\n Diy7KlMpe0NZjXrdSh6edywSz3YMX1eAP5U31pLk0itMDTf2idGcZfrtxTLrpRff\n umowdJ5qqwKBgF+XZ+JRHDN2aEM0atAQr1WEZGNfqG4Qx4o0lfaaNs1+H+knw5kI\n ohrAyvwtK1LgUjGkWChlVCXb8CoqBODMupwFAqKL\u002FIDImpUhc\u002Ft5uiiGZqxE85B3\n UWK\u002F7+vppNyIdaZL13a1mf9sNI\u002Fp2whHaQ+3WoW\u002FP3R5z5uaifqM1EbDAoGAN584\n JnUnJcLwrnuBx1PkBmKxfFFbPeSHPzNNsSK3ERJdKOINbKbaX+7DlT4bRVbWvVj\u002F\n jcw\u002Fc2Ia0QTFpmOdnivjefIuehffOgvU8rsMeIBsgOvfiZGx0TP3+CCFDfRVqjIB\n t3HAfAFyZfiP64nuzOERslL2XINafjZW5T0pZz8CgYAJ3UbEMbKdvIuK+uTl54R1\n Vt6FO9T5bgtHR4luPKoBv1ttvSC6BlalgxA0Ts\u002FAQ9tCsUK2JxisUcVgMjxBVvG0\n lfq\u002FEHpL0Wmn59SHvNwtHU2qx3Ne6M0nQtneCCfR78OcnqQ7+L+3YCMqYGJHNFSa\n rd+dewfKoPnWw0WyGFEWCg==\n -----END PRIVATE KEY-----\n\n```\n\n#### PEM key as a resource location\n```yaml\njasypt:\n encryptor:\n privateKeyFormat: PEM\n privateKeyLocation: classpath:private_key.pem\n\n```\n\n### Encrypting properties\n\nThere is no program\u002Fcommand to encrypt properties using asymmetric keys but you can use the following code snippet to encrypt\nyour properties:\n\n#### DER Format\n\n```java\nimport com.ulisesbocchio.jasyptspringboot.encryptor.SimpleAsymmetricConfig;\nimport com.ulisesbocchio.jasyptspringboot.encryptor.SimpleAsymmetricStringEncryptor;\nimport org.jasypt.encryption.StringEncryptor;\n\npublic class PropertyEncryptor {\n public static void main(String[] args) {\n SimpleAsymmetricConfig config = new SimpleAsymmetricConfig();\n config.setPublicKey(\"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArQfyGCvBOdgmDGU6ciGPVNB6jHsMip0b0qOrPvVTSJ\u002Fx0offjKARogA2tjGjyr3rUtwg9woMBqv\u002FiyENR0GBnIUa0jkYsznCKeygcflnNa4mrVf7XKXLhSwtY+kCe3diPk+0QPfEsfF9\u002FaK6pWBUFcrE8P2k2sF\u002F8mo8dFJU1t6zQGPspHkNAgR6MLU8SjPZxnMS6EG722MdYhvSYAKsnu02Hozqb4jh\u002FgaQ\u002FE6NkvM3DkqIyIYsRH2smstIFEb9CCiTdiz\u002FOsJKQLgGy\u002FpqIVKtai3lnUxAayEV45Z61rNTOusNJf+icGhZxjqhAeoWjMxOCVmVC2GKa9sisqBgkQIDAQAB\");\n StringEncryptor encryptor = new SimpleAsymmetricStringEncryptor(config);\n String message = \"chupacabras\";\n String encrypted = encryptor.encrypt(message);\n System.out.printf(\"Encrypted message %s\\n\", encrypted);\n }\n}\n```\n\n#### PEM Format\n\n```java\nimport com.ulisesbocchio.jasyptspringboot.encryptor.SimpleAsymmetricConfig;\nimport com.ulisesbocchio.jasyptspringboot.encryptor.SimpleAsymmetricStringEncryptor;\nimport org.jasypt.encryption.StringEncryptor;\nimport static com.ulisesbocchio.jasyptspringboot.util.AsymmetricCryptography.KeyFormat.PEM;\n\npublic class PropertyEncryptor {\n public static void main(String[] args) {\n SimpleAsymmetricConfig config = new SimpleAsymmetricConfig();\n config.setKeyFormat(PEM);\n config.setPublicKey(\"-----BEGIN PUBLIC KEY-----\\n\" +\n \"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArQfyGCvBOdgmDGU6ciGP\\n\" +\n \"VNB6jHsMip0b0qOrPvVTSJ\u002Fx0offjKARogA2tjGjyr3rUtwg9woMBqv\u002FiyENR0GB\\n\" +\n \"nIUa0jkYsznCKeygcflnNa4mrVf7XKXLhSwtY+kCe3diPk+0QPfEsfF9\u002FaK6pWBU\\n\" +\n \"FcrE8P2k2sF\u002F8mo8dFJU1t6zQGPspHkNAgR6MLU8SjPZxnMS6EG722MdYhvSYAKs\\n\" +\n \"nu02Hozqb4jh\u002FgaQ\u002FE6NkvM3DkqIyIYsRH2smstIFEb9CCiTdiz\u002FOsJKQLgGy\u002Fpq\\n\" +\n \"IVKtai3lnUxAayEV45Z61rNTOusNJf+icGhZxjqhAeoWjMxOCVmVC2GKa9sisqBg\\n\" +\n \"kQIDAQAB\\n\" +\n \"-----END PUBLIC KEY-----\\n\");\n StringEncryptor encryptor = new SimpleAsymmetricStringEncryptor(config);\n String message = \"chupacabras\";\n String encrypted = encryptor.encrypt(message);\n System.out.printf(\"Encrypted message %s\\n\", encrypted);\n }\n}\n```\n## AES 256-GCM Encryption\nAs of version 3.0.5, AES 256-GCM Encryption is supported. To use this type of encryption, set the property `jasypt.encryptor.gcm-secret-key-string`, `jasypt.encryptor.gcm-secret-key-location`, or `jasypt.encryptor.gcm-secret-key-password`.\u003Cbr\u002F>\nThe underlying algorithm used is `AES\u002FGCM\u002FNoPadding` so make sure that's installed in your JDK.\u003Cbr\u002F>\nThe `SimpleGCMByteEncryptor` uses a `IVGenerator` to encrypt properties. You can configure that with property `jasypt.encryptor.iv-generator-classname` if you don't want to\nuse the default implementation `RandomIvGenerator`\n### Using a key\nWhen using a key via `jasypt.encryptor.gcm-secret-key-string` or `jasypt.encryptor.gcm-secret-key-location`, make sure you encode your key in base64.\nThe base64 string value could set to `jasypt.encryptor.gcm-secret-key-string`, or just can save it in a file and use a spring resource locator to that file in property `jasypt.encryptor.gcm-secret-key-location`. For instance:\n```properties\njasypt.encryptor.gcm-secret-key-string=\"PNG5egJcwiBrd+E8go1tb9PdPvuRSmLSV3jjXBmWlIU=\"\n#OR\njasypt.encryptor.gcm-secret-key-location=classpath:secret_key.b64\n#OR\njasypt.encryptor.gcm-secret-key-location=file:\u002Ffull\u002Fpath\u002Fsecret_key.b64\n#OR\njasypt.encryptor.gcm-secret-key-location=file:relative\u002Fpath\u002Fsecret_key.b64\n```\nOptionally, you can create your own `StringEncryptor` bean:\n```java\n@Bean(\"encryptorBean\")\npublic StringEncryptor stringEncryptor() {\n SimpleGCMConfig config = new SimpleGCMConfig();\n\tconfig.setSecretKey(\"PNG5egJcwiBrd+E8go1tb9PdPvuRSmLSV3jjXBmWlIU=\");\n\treturn new SimpleGCMStringEncryptor(config);\n}\n```\n### Using a password\nAlternatively, you can use a password to encrypt\u002Fdecrypt properties using AES 256-GCM. The password is used to generate a\nkey on startup, so there is a few properties you need to\u002Fcan set, these are:\n```properties\njasypt.encryptor.gcm-secret-key-password=\"chupacabras\"\n#Optional, defaults to \"1000\"\njasypt.encryptor.key-obtention-iterations=\"1000\"\n#Optional, defaults to 0, no salt. If provided, specify the salt string in ba64 format\njasypt.encryptor.gcm-secret-key-salt=\"HrqoFr44GtkAhhYN+jP8Ag==\"\n#Optional, defaults to PBKDF2WithHmacSHA256\njasypt.encryptor.gcm-secret-key-algorithm=\"PBKDF2WithHmacSHA256\"\n```\nMake sure this parameters are the same if you're encrypting your secrets with external tools.\nOptionally, you can create your own `StringEncryptor` bean:\n```java\n@Bean(\"encryptorBean\")\npublic StringEncryptor stringEncryptor() {\n SimpleGCMConfig config = new SimpleGCMConfig();\n\tconfig.setSecretKeyPassword(\"chupacabras\");\n\tconfig.setSecretKeyIterations(1000);\n\tconfig.setSecretKeySalt(\"HrqoFr44GtkAhhYN+jP8Ag==\");\n\tconfig.setSecretKeyAlgorithm(\"PBKDF2WithHmacSHA256\");\n\treturn new SimpleGCMStringEncryptor(config);\n}\n```\n### Encrypting properties with AES GCM-256\nYou can use the [Maven Plugin](#maven-plugin) or follow a similar strategy as explained in [Asymmetric Encryption](#asymmetric-encryption)'s [Encrypting Properties](#encrypting-properties) \n## Demo App\nThe [jasypt-spring-boot-demo-samples](https:\u002F\u002Fgithub.com\u002Fulisesbocchio\u002Fjasypt-spring-boot-samples) repo contains working Spring Boot app examples.\nThe main [jasypt-spring-boot-demo](https:\u002F\u002Fgithub.com\u002Fulisesbocchio\u002Fjasypt-spring-boot-samples\u002Ftree\u002Fmaster\u002Fjasypt-spring-boot-demo) Demo app explicitly sets a System property with the encryption password before the app runs.\nTo have a little more realistic scenario try removing the line where the system property is set, build the app with maven, and the run:\n\n```\n\tjava -jar target\u002Fjasypt-spring-boot-demo-0.0.1-SNAPSHOT.jar --jasypt.encryptor.password=password\n```\nAnd you'll be passing the encryption password as a command line argument.\nRun it like this:\n\n```\n\tjava -Djasypt.encryptor.password=password -jar target\u002Fjasypt-spring-boot-demo-0.0.1-SNAPSHOT.jar\n```\nAnd you'll be passing the encryption password as a System property.\n\nIf you need to pass this property as an Environment Variable you can accomplish this by creating application.properties or application.yml and adding:\n```\njasypt.encryptor.password=${JASYPT_ENCRYPTOR_PASSWORD:}\n```\nor in YAML\n```\njasypt:\n encryptor:\n password: ${JASYPT_ENCRYPTOR_PASSWORD:}\n```\nbasically what this does is to define the `jasypt.encryptor.password` property pointing to a different property `JASYPT_ENCRYPTOR_PASSWORD` that you can set with an Environment Variable, and you can also override via System Properties. This technique can also be used to translate property name\u002Fvalues for any other library you need.\nThis is also available in the Demo app. So you can run the Demo app like this:\n\n```\nJASYPT_ENCRYPTOR_PASSWORD=password java -jar target\u002Fjasypt-spring-boot-demo-1.5-SNAPSHOT.jar\n```\n\n**Note:** When using Gradle as build tool, processResources task fails because of '$' character, to solve this you just need to scape this variable like this '\\\\$'.\n\n## Other Demo Apps\nWhile [jasypt-spring-boot-demo](https:\u002F\u002Fgithub.com\u002Fulisesbocchio\u002Fjasypt-spring-boot-samples\u002Ftree\u002Fmaster\u002Fjasypt-spring-boot-demo) is a comprehensive Demo that showcases all possible ways to encrypt\u002Fdecrypt properties, there are other multiple Demos that demo isolated scenarios. \n\n[\u002F\u002F]: # (## Flattr)\n\n[\u002F\u002F]: # ([![Flattr this git repo](http:\u002F\u002Fapi.flattr.com\u002Fbutton\u002Fflattr-badge-large.png)](https:\u002F\u002Fflattr.com\u002F@ubocchio\u002Fgithub\u002Fulisesbocchio))\n","jasypt-spring-boot 项目实现了 Jasypt 在 Spring Boot 应用中的集成,主要用于对配置文件中的敏感信息进行加密。其核心功能包括通过添加 `jasypt-spring-boot-starter` 到类路径来启用整个 Spring 环境的属性加密支持,或者通过在主配置类中使用 `@EnableEncryptableProperties` 注解来实现同样的效果。此外,还支持单独声明可加密的属性源。该项目基于 Java 开发,要求 Java 17 及以上版本和 Spring Boot 3.5+。适用于需要保护配置文件中如数据库密码等敏感数据的应用场景,确保这些信息即使泄露也不会被轻易读取,从而提高了应用的安全性。","2026-06-11 03:30:38","top_topic"]