Tooling for encrypting certain configuration parameter values in dropwizard apps
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

Encrypted Config Value

Build Status JCenter Release

This repository provides tooling for encrypting certain configuration parameter values in Dropwizard apps. This defends against accidental leaks of sensitive information such as copy/pasting a config file - unlike jetty obsfucated passwords, one would also have to share the encryption key to actually reveal the sensitive information.


A Dropwizard bundle which provides a way of using encrypted values in your Dropwizard configs (via a variable substitutor) and utility commands.

The bundle sets the ConfigurationSourceProvider to one capable of parsing encrypted values specified as variables.

The bundle adds the following commands:

  • encrypt-config-value -v <value> [-k <keyfile>] for encrypting values. In the case of non-symmetric algorithms (e.g. RSA) specify the public key.
  • generate-random-key -a <algorithm> [-f <keyfile>] for generating random keys with the specified algorithm. In the case of non-symmetric algorithms (e.g. RSA) the private key will have a .private extension.

Currently supported algorithms:

  • AES: (AES/GCM/NoPadding) with random IV
  • RSA

Example Usage

Maven artifacts are published to JCenter. Dropwizard bundles are separated into two different packages: one for Dropwizard 1.x and one for Dropwizard 0.9.x and below. Example Gradle dependency configuration:

repositories {

dependencies {
    // adds EncryptedConfigValueBundle for Dropwizard 1.x apps
    compile "com.palantir.config.crypto:encrypted-config-value-bundle-dropwizard1:$version"
    // or, adds EncryptedConfigValueBundle for Drowizard <= 0.9.x apps
    compile "com.palantir.config.crypto:encrypted-config-value-bundle:$version"

To use in your app, just add the bundle:

public final class Main extends Application<MyApplicationConfig> {
    public void initialize(Bootstrap<MyApplicationConfig> bootstrap) {
        bootstrap.addBundle(new EncryptedConfigValueBundle());


my-application$ ./bin/my-dropwizard-app generate-random-key -a AES
Wrote key to var/conf/encrypted-config-value.key
my-application$ ./bin/my-dropwizard-app encrypt-config-value -v topSecretPassword

Now use the encrypted value in your config file (as a variable):

   username: my-user
   password: ${enc:INNv4cGkVF45MLWZhgVZdIsgQ4zKvbMoJ978Es3MIKgrtz5eeTuOCLM1vPbQm97ejz2EK6M=}


Not Dropwizard? You can still use encrypted values in your configuration file.

Example Usage

public final class AppConfiguration {

    private static final ObjectMapper MAPPER = new YAMLMapper()
                                                   .registerModule(new GuavaModule());


    public static AppConfiguration fromYaml(File configFile) {
        return EncryptedConfigMapperUtils.getConfig(configFile, AppConfiguration.class, MAPPER);


This repository is made available under the Apache 2.0 License.