Config-server won't decrypt properties server-side (even if it's enabled). Whenever a client asks for a configuration the server will not decrypt {cipher} marked properties. This happens if the spring-boot-starter-parent version is equal or greater than 2.2.0.RELEASE. The error is caused by the following java method:

https://github.com/spring-cloud/spring-cloud-config/blob/baabff6a60c1a6a0dd7836804b6b076f4b53e471/spring-cloud-config-server/src/main/java/org/springframework/cloud/config/server/encryption/CipherEnvironmentEncryptor.java#L60-L80

seems that since 2.2.0.RELEASE the Map.Entry<Object, Object> entry (line: 65) value is not a String but an Object. This will cause entry.getValue().toString() call to return the full name of the object class instead of the value itself, preventing any decryption.

The solution is to change the way how the entry value is retrieved from entry.getValue().toString() to entry.getValue().getValue().

Details

Working: 2.1.7.RELEASE Not Working: 2.2.0.RELEASE and above

To reproduce the error it's sufficient to start a config-server instance (with a spring-boot-starter-parent version 2.2.0.RELEASE or above) and another SpringBootApplication with spring-cloud-config-client that fetches the configuration. The config-server configuration must contain at least a property marked with {cipher} placeholder.

Comment From: spencergibb

related #1490

Comment From: spencergibb

I'm unable to reproduce this problem. I can successfully decrypt with the proper keystore and properties setup.

Can you provide a complete, minimal, verifiable sample that reproduces the problem? It should be available as a GitHub (or similar) project or attached to this issue as a zip file.

Comment From: davgia

I'm unable to reproduce this problem. I can successfully decrypt with the proper keystore and properties setup.

Could you please try with a symmetric encryption by declaring just the encryption key (encrypt.key) on the config-server bootstrap.yml file? (example below)

encrypt:
  key: mys3cr3t

Comment From: spencergibb

That works for me as well.

Can you provide a complete, minimal, verifiable sample that reproduces the problem? It should be available as a GitHub (or similar) project or attached to this issue as a zip file.

Comment From: davgia

I've created a sample project that reproduces the problem. Here is the file with the project config-server-test.zip (remember to initialize the git repository inside the configurations folder and commit the yml file). To reproduce the error just run eureka-server first, config-server and then springboot-admin. The last one show report the following error:

[main] ERROR o.s.boot.SpringApplication - Application run failed 
java.lang.IllegalStateException: Cannot decrypt: key=spring.security.user.name
    at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:292)
    at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.lambda$decrypt$0(EnvironmentDecryptApplicationInitializer.java:270)
    at java.base/java.util.LinkedHashMap.replaceAll(LinkedHashMap.java:694)
    at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:265)
    at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:190)
    at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:124)
    at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:626)
    at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:370)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:314)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226)
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1215)
    at com.example.SpringBootAdminApplication.main(SpringBootAdminApplication.java:17)
Caused by: java.lang.UnsupportedOperationException: No decryption for FailsafeTextEncryptor. Did you configure the keystore correctly?
    at org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$FailsafeTextEncryptor.decrypt(EncryptionBootstrapConfiguration.java:165)
    at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:277)
    ... 11 common frames omitted

NOTE While creating the new sample project I discovered what it was probably causing the problem. Apparently I was using the Spring Cloud Hoxton.M3 when I initially discovered the problem. Now I've changed to Hoxton.RELEASE and the problem is gone.

Comment From: spencergibb

eureka and springboot-admin should not be needed to replicate the issue, can you remove them and make the project as minimal as possible.

Comment From: davgia

Ok, I've simplified the project. Here it is the new archive config-server-test-v2.zip

Comment From: OLPMO

I ran the demo, but there was something wrong.I ran config-server,and then ran project test-app.Some error info output to the console.The error info displayed below: java.lang.IllegalStateException: No .git at file://${user.dir}/configurations @DaviGia

Comment From: davgia

I ran the demo, but there was something wrong.I ran config-server,and then ran project test-app.Some error info output to the console.The error info displayed below: java.lang.IllegalStateException: No .git at file://${user.dir}/configurations @DaviGia

As I have already told in a comment above, you must initialize the git repository and add/commit your configuration files before launching the config-server application (ref: comment)

Comment From: OLPMO

Well,the new error info was output to the console of project test-app after I init the git repo.The error info displayed below: java.lang.IllegalStateException: Could not locate PropertySource and the fail fast property is set, failing: None of labels [] found @DaviGia

Comment From: davgia

Well,the new error info was output to the console of project test-app after I init the git repo.The error info displayed below: java.lang.IllegalStateException: Could not locate PropertySource and the fail fast property is set, failing: None of labels [] found @DaviGia

You did not add/commit the yml file in the repository, please read carefully the whole reply I made.

Comment From: OLPMO

Oh,Sorry. It is my carelessness. I reproduced the bug after commit the yml file. @DaviGia

Comment From: spencergibb

Now I've changed to Hoxton.RELEASE and the problem is gone.

M3 is a milestone and not supported.