Encrypt Decrypt Cloud Config Properties(Symmetric + Asymmetric)

author-image  By Dhiraj,   Last updated on: 07 June, 2019 14K

In this article we will be discussing about encryption and decryption of configuration property in spring cloud config using symmetric and asymmetric encryption.We will have git store property values defined in encrypted format in the properties file or yml file and the cloud config server will serve those property values after decryption to the client.

It is a very obvious situation that we need to externalize our some of the sensitive config properties such as DB username and password in a properties file.As long as the properties file are at classpath, we are good to go. But while dealing with microservices and cloud config we have our properties stored at some external store such as GIT store. In this case we can't just keep these sensitive properties in a plain-text.Hence, spring cloud config provides ways to add encryption to these properties and while serving these properties it automatically decrypts it and returns the plain-text. Hence, it is highly recommended to use HTTPS/TSL for this.

In our last article we developed a spring cloud application with netflix eureka discovery server and here we will make changes in the same application to demonstrate encryption and decryption of property values in spring cloud config.Let me brief here what we did in our last post. We have our GIT store at https://github.com/only2dhir/config-repo and we have 2 spring boot applications. One is cloud config server and the other is cloud config client.Now we will define our config properties in encrypted form and push to GIT.

test.local.property=test local property changed twice
random.property=random property changed twice

While using encrypted property it is required to store the properties in the format {cipher} to GIT. This indicates spring cloud config that the value is in encrypted format and it should be decrypted first before serving it to the client.

Property Config Encryption and Decryption

Now let us set up the spring boot app for encryption and decryption of config properties.Since we are using symmetric encryption, we only require to tell the spring about the secret key we are using for encryption and decryption and that too in application.properties.


Now after adding this property, symmetric encryption is automatically enabled and the config property values with format {cipher} will be automatically decrypted and served by spring cloud config.

For asymmetric encryption the value of encrypt.key should be a PEM-encoded string value or we can configure our custom keystore to use. Following is a sample to generate a keystore.

keytool -genkeypair -alias mytestkey -keyalg RSA \
  -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" \
  -keypass changeme -keystore server.jks -storepass letmein

Now, once the server.jks is generated,we can configure it as below in application.properties.


Now, the question comes how can we generate the encrypted text to put in the GIT store. To do so, cloud config provides /encrypt endpoint. Following is an example to generate the encrypted key and the same key in the response is placed in the GIT store.


You can also use /encrypt/{name}/{profiles} to encrypt profile specific properties.

The encryption algorithm is not strong enough

With spring cloud config server 2, we get error response for endpoint /encrypt as The encryption algorithm is not strong enough. This error occurs if you don't have server.key property defined. Even if this is defined, to avoid this error, the property encrypt.key should be placed in bootstrap.properties rather then application.properties

Consuming Encrypted Property Config

TO consume this encrypted property values, there is no change required at the client side as spring will serve these properties after decryption by itself. We have following configuration in application.properties and bootstrap.ymlIf you want to test it with other keys, you can follow this tutorial to refresh the config property at run time


Now, we have following controller defined for demonstration.

package com.devglan.springcloudconfigclient.controller;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

public class DemoController {

    private String testProperty;

    private String localTestProperty;

    public String test() {
        StringBuilder builder = new StringBuilder();
        builder.append("global property - ").append(testProperty).append(" || ")
                .append("local property - ").append(localTestProperty).append(" || ");
        return builder.toString();

encrypted.property is the config property that is encrypted in the GIT store.Now, we can hit http://localhost:8080/spring-cloud-config-client/ to check the result.



Here, we discussed about encrypting and decrypting the property configuration in spring cloud config. We discussed about the symmetric and asymmetric encryption.The source can be downloaded from here.If you have anything that you want to add or share then please share it below in the comment section

If You Appreciate This, You Can Consider:

  • Like us at: Facebook or follow us at Twitter
  • Share this article on social media or with your teammates.
  • We are thankful for your never ending support.

About The Author


Further Reading on Spring Cloud

1. Spring Cloud Gateway Example

2. Spring Cloud Config

3. Spring Cloud Netflix Eureka

4. Introduction To Microservices

5. Refresh Property Config Runtime

6. Spring Netflix Zuul

7. Spring Cloud Feign Example