Consider Jasypt

[hohwille]

http://jasypt.org/

...allows us to store passwords encrypted in config files (application.properties)...

[hohwille]

http://justinrodenbostel.com/2014/06/06/part-5a-additional-credential-security-spring-data-jpa-jasypt/

[amarinso]

Seems easy and does the work. My main concern is that it doesn't seem very popular/downloaded and so it may not be that well tested.

But it covers a very usual concern and with this we can address it, so I vote for it unless someone has a better alternative.

[sobkowiak]

I vote for this too. We use this for a long time in Apache Karaf/ServiceMix and it works welll

[hohwille]

I went through the details and for me the key feature is missing or undocumented:
I need a way to provide passwords with strong encryption in spring boot properties for datasource, etc. but keep the actual secret (e.g. key or central password) in a java keystore. This keystore should differ per environment. So you could have the encrypted production passwords in the version control but only keep the keystore file for production extremely secured.
However, Jasypt goes for a simple password that you have hardcoded in some class or the like. This is IMHO more security by obscurity for password properties.

[hohwille]

spring-projects/spring-boot#1312

[hohwille]

http://www.jasypt.org/spring31.html#Integrating_jasypt_with_Springs_application_configuration_infrastructure

[hohwille]

https://github.com/ulisesbocchio/jasypt-spring-boot

[hohwille]

https://github.com/spring-cloud/spring-cloud-config#spring-cloud-config-server

[hohwille]

https://github.com/spring-cloud/spring-cloud-commons/tree/master/spring-cloud-context

[hohwille]

All done:
https://github.com/oasp-forge/oasp4j-wiki/wiki/guide-configuration#password-encryption