Shield Dropwizard Secrets: Configuration Encryption Made Easy

This repository provides tooling for encrypting certain configuration parameter values in Dropwizard apps. This defends against accidental leaks of sensitive information such as copy/pasting a config file - unlike jetty obsfucated passwords, one would also have to share the encryption key to actually reveal the sensitive information.


A Dropwizard bundle which provides a way of using encrypted values in your Dropwizard configs (via a variable substitutor) and utility commands.

The bundle sets the ConfigurationSourceProvider to one capable of parsing encrypted values specified as variables.

The bundle adds the following commands:

  • encrypt-config-value -v <value> [-k <keyfile>] for encrypting values. In the case of non-symmetric algorithms (e.g. RSA) specify the public key.
  • generate-random-key -a <algorithm> [-f <keyfile>] for generating random keys with the specified algorithm. In the case of non-symmetric algorithms (e.g. RSA) the private key will have a .private extension.

Currently supported algorithms:

  • AES: (AES/GCM/NoPadding) with random IV
  • RSA

Example Usage

Maven artifacts are published to JCenter. Dropwizard bundles are separated into two different packages: one for Dropwizard 1.x and one for Dropwizard 0.9.x and below. Example Gradle dependency configuration:

repositories {

dependencies {
    // adds EncryptedConfigValueBundle for Dropwizard 1.x apps
    compile "com.palantir.config.crypto:encrypted-config-value-bundle-dropwizard1:$version"
    // or, adds EncryptedConfigValueBundle for Drowizard <= 0.9.x apps
    compile "com.palantir.config.crypto:encrypted-config-value-bundle:$version"

To use in your app, just add the bundle:

public final class Main extends Application<MyApplicationConfig> {
    public void initialize(Bootstrap<MyApplicationConfig> bootstrap) {
        bootstrap.addBundle(new EncryptedConfigValueBundle());


my-application$ ./bin/my-dropwizard-app generate-random-key -a AES
Wrote key to var/conf/encrypted-config-value.key
my-application$ ./bin/my-dropwizard-app encrypt-config-value -v topSecretPassword

Now use the encrypted value in your config file (as a variable):

   username: my-user
   password: ${enc:INNv4cGkVF45MLWZhgVZdIsgQ4zKvbMoJ978Es3MIKgrtz5eeTuOCLM1vPbQm97ejz2EK6M=}


Not Dropwizard? You can still use encrypted values in your configuration file.

Example Usage

public final class AppConfiguration {

    private static final ObjectMapper MAPPER = new YAMLMapper()
                                                   .registerModule(new GuavaModule());


    public static AppConfiguration fromYaml(File configFile) {
        return EncryptedConfigMapperUtils.getConfig(configFile, AppConfiguration.class, MAPPER);

Download Details:

Author: palantir

Official Github: 

License: Apache-2.0 license

#typescript #java 

Shield Dropwizard Secrets: Configuration Encryption Made Easy
1.45 GEEK