According to the spring cloud config documentation, if we want to disable server side decryption and handle it by the client, we can put in server’s application.yml the following property :
spring:
cloud:
config:
server:
encrypt.enabled: false
In server side, a define an env variable ENCRYPT_KEY then a call a curl to get encrypted password, I update the configuration file then I commit it
export ENCRYPTED=`curl config-server/encrypt -d ms-password-prod`
echo "spring.data.mongodb.paswword='{cipher}$ENCRYPTED'" >> establishment-services-prod.yml
Now, when I call
curl -v config-server:9090/establishment-services/prod
I expect to see encrypted password but I get the password decrypted.
I used spring-boot 1.5.8 and spring-cloud Dalston.SR4.
You can find all the code in my Github account.
Moving the spring.cloud.config.server.encrypt.enabled key to the bootstrap configuration file of your config server should fix the issue.
Looking at the project documentation, I'm not sure if this is a workaround or the intended behavior, as it seems that only the encrypt.* keys belong in the bootstrap configuration.
This could be a bug or a documentation enhancement that you could report on the issue tracker spring-cloud-config.