Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
  • Oct 20 16:39
    andrew00077 commented #297
  • Oct 20 16:39
    andrew00077 commented #297
  • Oct 20 16:39
    andrew00077 closed #297
  • Oct 20 16:39
    andrew00077 commented #297
  • Oct 20 12:00
    andrew00077 edited #297
  • Oct 20 11:59
    andrew00077 opened #297
  • Oct 18 00:49
    lujuliang commented #295
  • Oct 15 11:18
    henryliu93 edited #296
  • Oct 15 11:17
    henryliu93 opened #296
  • Oct 11 14:17
    marchicman commented #221
  • Oct 10 11:27
    lujuliang commented #295
  • Oct 10 01:13
    ulisesbocchio commented #295
  • Oct 09 03:37
    lujuliang opened #295
  • Oct 08 18:55
  • Oct 08 18:53
    jonas-haeusler opened #294
  • Sep 26 16:00
    dythebs commented #77
  • Sep 24 19:26
    henka-rl commented #288
  • Sep 24 10:16
    hashmaparraylist opened #293
  • Sep 24 06:38
    lujuliang closed #292
  • Sep 24 06:38
    lujuliang commented #292
can you please help me on this
Daniyar Yeralin

Hey, guys may I ask for help?

I added com.github.ulisesbocchio:jasypt-spring-boot-starter:1.17 to Spring Boot app. I encrypted MySQL password with test, and added this JVM arg -Djasypt.encryptor.password=test.

I start my Spring Boot app, see following logs:

2018-10-12 12:30:05 INFO  EnableEncryptablePropertiesBeanFactoryPostProcessor:48 - Post-processing PropertySource instances
2018-10-12 12:30:05 INFO  EncryptablePropertySourceConverter:38 - Converting PropertySource bootstrap [org.springframework.core.env.MapPropertySource] to EncryptableMapPropertySourceWrapper
2018-10-12 12:30:05 INFO  EncryptablePropertySourceConverter:38 - Converting PropertySource servletConfigInitParams [org.springframework.core.env.PropertySource$StubPropertySource] to EncryptablePropertySourceWrapper
2018-10-12 12:30:05 INFO  EncryptablePropertySourceConverter:38 - Converting PropertySource servletContextInitParams [org.springframework.core.env.PropertySource$StubPropertySource] to EncryptablePropertySourceWrapper
2018-10-12 12:30:05 INFO  EncryptablePropertySourceConverter:38 - Converting PropertySource jndiProperties [org.springframework.jndi.JndiPropertySource] to EncryptablePropertySourceWrapper
2018-10-12 12:30:05 INFO  EncryptablePropertySourceConverter:38 - Converting PropertySource systemProperties [org.springframework.core.env.MapPropertySource] to EncryptableMapPropertySourceWrapper
2018-10-12 12:30:05 INFO  EncryptablePropertySourceConverter:38 - Converting PropertySource systemEnvironment [org.springframework.core.env.SystemEnvironmentPropertySource] to EncryptableMapPropertySourceWrapper
2018-10-12 12:30:05 INFO  EncryptablePropertySourceConverter:38 - Converting PropertySource random [org.springframework.boot.context.config.RandomValuePropertySource] to EncryptablePropertySourceWrapper
2018-10-12 12:30:05 INFO  EncryptablePropertySourceConverter:38 - Converting PropertySource springCloudClientHostInfo [org.springframework.core.env.MapPropertySource] to EncryptableMapPropertySourceWrapper
2018-10-12 12:30:05 INFO  EncryptablePropertySourceConverter:38 - Converting PropertySource defaultProperties [org.springframework.core.env.MapPropertySource] to EncryptableMapPropertySourceWrapper

But when I try to resolve my MySQL pwd:

private String password;

It never decrypts it, it is resolved as ENC(...) instead of decrypted password.

I'm very close, and I feel like I'm missing something

Daniyar Yeralin

resolved by upgrading to 1.18
Hi, I have a problem when using jasypt and spring cloud
Inside logback.xml file I'm using springProperty.
In bootstrap phase, the property resolved (from bootstrap.yml), but after fetching configuration from config server, the property not resolved, result in <propertyName>_IS_UNDEFINED.
I think the problem is in jasypt-spring boot since the problem occurs only when adding jasypt-spring-boot-starter as a dependency.
Attached sample project:



to this sample and adding to application.yml

        include: "*"

now go to http://localhost:8080/actuator/env
as you can see, the property spring.application.name resolved from bootstrap.yml

Tomasz Siwiec
Hello, is it possible to use Jasypt with spring-boot 2.1.5? If not , when we can except compatibility with that version?
Ulises Bocchio
I think it should be possible @TomaszSiwiec
Tomasz Siwiec
When can we except official version for spring-boot 2.1.5?
Ganesh Kumar
@ulisesbocchio I’m using spring boot 1.5 + jasypt 1.12 + hikariCP. When I use EnableEncryptableProperties in main class, properties are not binding to bean, when I remove the annotation, it works. When I debug the app, I could properties are converted to EncryptableMapPropertySourceWrapper object, but properties are not binding to actual config class. Any help?
Ulises Bocchio
What’s hikariCP?
hi ,
I am currently using jasypt-springboot 2.0 version to secure my db pwd. But the problem is i am getting confused which alogithm i should choose for production purpose.
Note: I am using PBEWithMD5AndDES algorithm now.
And the other question is do i need to write custom bean configuration to set provider name and other details for production purpose?

Could anyone please help to resolve this issue.
I am getting below when I am Starting Springboot or doing Run As SpringBoot

Exception in thread "main" java.lang.IllegalArgumentException: Cannot instantiate interface org.springframework.context.ApplicationListener : com.ulisesbocchio.jasyptspringboot.configuration.EnableEncryptablePropertiesBeanFactoryPostProcessor
at org.springframework.boot.SpringApplication.createSpringFactoriesInstances(SpringApplication.java:450)
at org.springframework.boot.SpringApplication.getSpringFactoriesInstances(SpringApplication.java:429)
at org.springframework.boot.SpringApplication.getSpringFactoriesInstances(SpringApplication.java:420)
at org.springframework.boot.SpringApplication.<init>(SpringApplication.java:270)
at org.springframework.boot.SpringApplication.<init>(SpringApplication.java:249)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1260)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1248)
at com.cisco.sbg.ces.configservice.ConfigserviceApplication.main(ConfigserviceApplication.java:16)
Caused by: java.lang.NoClassDefFoundError: org/slf4j/LoggerFactory
at com.ulisesbocchio.jasyptspringboot.configuration.EnableEncryptablePropertiesBeanFactoryPostProcessor.<clinit>(EnableEncryptablePropertiesBeanFactoryPostProcessor.java:35)

When using spring functions with kafka and jasypt. The following function auto starts Looking up function 'configPropsSingleton' with acceptedOutputTypes: []. Can that be disabled?
I am really struggling to use "jasypt-spring-boot-starter". I have tried debugging for over a week and not gotten anywhere. No matter what I try it does not replace the encrypted variable in a Spring Datasource. What is the best way/place to seek help/advice, please?
Ulises Bocchio
Hi @RobWilkinsonUK
do you get any errors? Have checked the samples repo?
Can you share a poc repo where your issue manifests?

Hi Ulises: Many thanks for responding. I appreciate it. I don't get any errors other than that the password on my datasource is the encoded password. I have checked the samples.

poc repo? Forgive me. I don't know what that is. Do you mean the Pom.xml? How do I share through this chat. I apologise for not being versed in this.

I just went back to the plain jasypt example and will have to revert if you are willing to work with me.


After a great deal of huffing and puffing , and at least two weeks, I got it to work. My comments are as follows:-

  1. The readme comments completely mislead me. When you state "Simply adding the starter jar jasypt-spring-boot-starter to your classpath if using @SpringBootApplication or @EnableAutoConfiguration will enable encryptable properties across the entire Spring Environment". That turned out not to be true.

Only after following the lines that were actually commented out in your sample did I get it to work.:
new SpringApplicationBuilder()
//.environment(new StandardEncryptableEnvironment())

The .environment(new StandardEncryptableEnvironment() was the key.

I still get a warning in red as follows. Do you know what this is referring to?
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.springframework.cglib.core.ReflectUtils (file:/C:/Users/Rob%20Wilkinson/.m2/repository/org/springframework/spring-core/5.2.9.RELEASE/spring-core-5.2.9.RELEASE.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of org.springframework.cglib.core.ReflectUtils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

Ulises Bocchio
I see
While that’s true, all you need is the starter jar for most regular scenarios, look at the docs for the StandardEncryptableEnvironment. There are a few cases where the Spring BeanFactory post processor approach used by default cannot intercept properties. You’re probably in one of those cases
By poc I mean proof of concept. Basically a working repo with an app where the problem happens and I don’t have to build it myself but I can troubleshoot

Hi Ulises: I wanted to take a moment to thank you for your fine work and your patience. While you did not give me a solution you did cause me to do so more work which lead me to my solution.

I don't know what I could have been doing that would have resulted in a non-regular scenario. I had a DataSource bean in an XML file that had variables that were encoded.

I am happy to spend some time trying to put a POC on Github but it will take some time for me. Additionally it will require MySQl to fully test.

Anyway, once again thank you.

Hi Ulises, thank you for this library and support. I am using quite sometime and the encryption/decryption were working good.
Today, I started compiling and it fails. Even without any changes, it fails to fetch the library which was working earlier.
I am using gradle to package my spring-boot application.
The repositories are defined in the gradle as
repositories { mavenCentral() maven { url 'https://jitpack.io' } }
and using the library dependency as
compile group: 'com.github.ulisesbocchio', name: 'jasypt-spring-boot-starter', version: '3.0.3' compile group: 'org.jasypt', name: 'jasypt', version: '1.9.3'
Please let me know if anything got changed which is breaking and what needs to be done?
1 reply
hi everyone, i'm using jasypt in my project with spring cloud bootstrap and I want to override the default StringEncryptor but failed with the example. it seems the bean can't be found during bootstrap phase. any idea?
2021-07-23 17:17:05.055  INFO 11700 --- [           main] c.u.j.encryptor.DefaultLazyEncryptor     : String Encryptor custom Bean not found with name 'jasyptStringEncryptor'. Initializing Default String Encryptor
    public StringEncryptor stringEncryptor() {
        PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
        SimpleStringPBEConfig config = new SimpleStringPBEConfig();
        return encryptor;
Tony Pappas
I am having the same issue, and I can't get the default autowiree encryption working during bootstrspmphase for spring cloud config
Ulises Bocchio
As far as i remember there’d be 2 application contexts when you use bootstrap, one that loads the bootstrap.yml and beans in a temporary application context in order to configure your app. The bootstrap context is unaffected by your application beans. I haven’t tried it but you can choose to pass a custom encryptable environment to your spring application builder (see readme) and maybe that’d affect the bootstrap contextd. Otherwise you’d have to use the spring factories loader mechanism. There’s a hook for bootstrap that you can add to your META-INF/spring.factories file and who knows, they might even have an annotation nowadays
there should some documentation in spring cloud about the whole bootstrap context
just to be clear tho… you want to encrypt properties in bootstrap.yml ? Shouldn’t be needed in my opinion. But maybe you can explain your use case and can give you a recommendation
Tony Pappas
I'll look into your suggestions, I am currently using the spring.factories to get my custom decryptor loaded, and it is working at first startup. The problem occurs when (I think) the application refreshes and attempts to clone the repository. At this moment it doesnt attempt to decrypt anything.
I have encrypted my ssh private key in bootstrap.yml which has caused this whole issue
I do see that there was a bug fix in release 3.0.3 for the refresh event, but I am using jasypt-spring-boot-starter 3.0.4
Ulises Bocchio
ok, so just to get it straight. You use the private key to encrypt your secrets? and then you want to encrypt that same private key with another layer on bootstrap? how do you feed the decryption password for the private key? environment? My suggestion would be that you pass the private key as either:
a) an environment variable, same way you're probably passing the decryption secret for the private.key
b) you load the private key from a secret store (say Vault if you're running on Kubernetes) and embed it as an environment variable for your container or mount it on a file path
c) you store it in a pkcs8/12/jks keystore with a password and load it, but again here as with your current situation, you'd have to pass the keystore password to the application
I can look into supporting c) out of the box so you can just pass the keystore location, password, and name of the key
I any case, I'm curious as to what's happening in your app... is there any way you can create a sample app where the problem appears so I can tinker with it?
Ulises Bocchio
In my opinion there's really no value to use asymmetric encryption if you're keeping your private key in bootstrap.yml, encrypted or not. Since the weakest link in the chain hangs from providing the password that decrypts the private key that's already available. You're adding an extra layer, but not of security...
Tony Pappas
my private key is not in bootstrap.yml, but instead file path is. The private key is on disk (not encrypted with a password, I didn't think jasypt-spring-boot-starter supported this) but instead read only by our system service account. We do not use the private key for encryption, we encryption with the public key and decrypt with the private. This allows us to as a developer not have access to production passwords as we don't have access to the private key. Only the public to give to other teams and they hand us the encrypted password.
I ended up getting everything working by writing my own custom EncryptablePropertyResolver and adding it to spring.factories. I also added support for hybrid encryption to encryption secrets such as other ssh keys that are too big forma 2048 bit asymmetric key.
(I encryt with asymmetric a hybrid key which I use to encryption symetrically the larger secrets)
Ulises Bocchio
nice. I'm curious as to what you needed to add to spring.factories. I'm still not sure what do you need in bootstrap.yml that you need to resolve encryptable properties. I created a quick example on my end with an embedded config server and everything worked out of the box as far as I don't mess with bootstrap.yml (i.e. I don't add any encrypted properties there that would trip the default lazy string encryptor)
Ulises Bocchio
are you using jasypt-spring-boot-starter or the @EnableEncryptableProperties annotation?, the started jar has this line:
org.springframework.cloud.bootstrap.BootstrapConfiguration=com.ulisesbocchio.jasyptspringbootstarter.JasyptSpringCloudBootstrapConfiguration on its spring.factories
Tony Pappas
I added my custom EncryptablePropertyResolver to spring.factoies by setting org.springframework.cloud.bootstrap.BootstrapConfiguration. And i needed to set this because i use both symmetric and asymetric encryption somi created my own resolver that supports both.
On the bootstrap.yml, what i said before was a bit misleading. I have 2 private keys. One for spring cloud config to acccess my git repo and another for decrypting secrets with jasypt. For the spring cloud config private key, this is deployed via celestial in an encrypted format according to company policy. So during the bootstrap phase jasypt must decrypt this key using the other private key that is protected on disk. (this key is deployed during setup of our server rather than during CD procees)
And i am using jasypt spring boot starter
Ulises Bocchio
I see, I was able to decrypt out of the box properties you may want protected in bootstrap.yml. The only catch is that you have to place your encryption config there too for the bootstrap context to configure jasypt properly. You also need the same config in your app-name-label.yml file for the actual application
What didn’t work out of the box is 2 different encryption mechanisms. One for bootstrap and one for the app because the bootstrap properties are available to the application so one of the configs is gonna take precedence in the order that is discovered from the jasypt code.