About This WebsitePostgreSQL or MySQLFomantic-UI vs BootstrapThymeleaf or React/VueAWS Services: EC2, RDS, S3, and CloudFrontLightSail vs AWS ServicesLightsail Bucket, CloudFront & Nginx: Maximum Cost Efficiency for Small ProjectsHow DNS Resolution Works: Nameservers and A RecordsWhere to Store Sensitive Data in Spring Boot ProjectsHow to Force a User Offline When the Same Account Logs in ElsewhereHow to Design & Build a Comment SystemHow to Properly Handle Time Zones in Web ApplicationsNginx + Fail2Ban: A Simple Anti-Attack Setup

Yiwei's Zone

ProgrammingPhychologyDrawingThoughtsNewsPersonal Welcome
ProgrammingPhychologyDrawingThoughtsNewsPersonal Welcome
About This WebsitePostgreSQL or MySQLFomantic-UI vs BootstrapThymeleaf or React/VueAWS Services: EC2, RDS, S3, and CloudFrontLightSail vs AWS ServicesLightsail Bucket, CloudFront & Nginx: Maximum Cost Efficiency for Small ProjectsHow DNS Resolution Works: Nameservers and A RecordsWhere to Store Sensitive Data in Spring Boot ProjectsHow to Force a User Offline When the Same Account Logs in ElsewhereHow to Design & Build a Comment SystemHow to Properly Handle Time Zones in Web ApplicationsNginx + Fail2Ban: A Simple Anti-Attack Setup


Yiwei Yu

Posted on: 2026-01-07

Where to Store Sensitive Data in Spring Boot Projects

In pretty much any project, you’ll inevitably need to store some sensitive data—things like database username/password, or access keys for an S3 bucket. If you put those directly in your .properties  file, they’ll get pushed to GitHub along with your code, which is obviously not what you want.

Spring Boot supports reading external values from environment variables, and that’s a solid approach. However, for local development and testing, I don’t really like dumping more stuff into my global environment variables. My system already has many env vars, and adding project-specific secrets there just makes everything messy and harder to manage.

So here’s the solution I’m using.

Local development & testing

For local development and testing, you can store sensitive values in IntelliJ’s Run/Debug configuration environment variables.

By default, Run/Debug settings are saved in  .idea/workspace.xml, which is usually included in  .gitignore, so it won’t be committed to GitHub. This makes it super convenient: your secrets stay local, and you don’t have to maintain a separate secret file for every dev machine.

Production environment

On the production server, set the application up as a system service: 

Create a dedicated environment file:

sudo nano /etc/yourApp.env
Docker

Then create and edit the service file:

sudo nano /etc/systemd/system/youApp.service
Docker

Inside the service file, you point the service to the environment file you just created (so systemd loads those variables when starting the app).

Using them in Spring Boot

Finally, in the project’s properties file, just use the same keys. Spring Boot will automatically pick up the corresponding values from the environment.

# data-source
spring.datasource.url=${DEVELOPMENT_DATASOURCE_URL}
spring.datasource.username=${DEVELOPMENT_DATASOURCE_USERNAME}
spring.datasource.password=${DEVELOPMENT_DATASOURCE_PASSWORD}
spring.datasource.url=${TESTING_DATASOURCE_URL}
spring.datasource.username=${TESTING_DATASOURCE_USERNAME}
spring.datasource.password=${TESTING_DATASOURCE_PASSWORD}
spring.datasource.url=${PRODUCTION_DATASOURCE_URL}
spring.datasource.username=${PRODUCTION_DATASOURCE_USERNAME}
spring.datasource.password=${PRODUCTION_DATASOURCE_PASSWORD}
Java

Overall, it’s simple, easy to maintain, and it keeps sensitive data out of your repository.


Comments (
)
Sign in to comment
0/500
Comment

Copyright © 2024 - 2026  Yiwei Yu       |        Designed  And  Built  By  Yiwei Yu       |       Email :  hiyiweiyu@gmail.com       |       Privacy Policy

Deleting a comment will also cascade the deletion to all its sub-comments, and this action COULD NOT BE UNDONE!
DELETE