EDIT If you use Jasypt, you do not need to define any PropertiesPersister. From the Jasypt documentation:

Jasypt provides an implementation of these configuration-related Spring classes which can read .properties files with encrypted values (like the ones managed by the EncryptableProperties class) and handle them transparently to the rest of the Spring application beans.

With this, you can define jdbc.properties like this

 jdbc.driver=com.mysql.jdbc.Driver jdbc.url=jdbc:mysql://localhost/reportsdb jdbc.username=reportsUser jdbc.password=ENC(G6N718UuyPE5bHyWKyuLQSm02auQPUtm) 

and the Spring config may be like this

<bean class="org.jasypt.spring.properties.EncryptablePropertyPlaceholderConfigurer"> <constructor-arg> <bean class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor"> <property name="config"> <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig"> <property name="algorithm" value="PBEWithMD5AndDES" /> <property name="passwordEnvName" value="APP_ENCRYPTION_PASSWORD" /> </bean> </property> </bean> </constructor-arg> <property name="locations"> <list> <value>/WEB-INF/classes/jdbc.properties</value> </list> </property> </bean> <bean id="dataSource" destroy-method="close" class="org.apache.commons.dbcp.BasicDataSource"> <property name="driverClassName" value="${jdbc.driverClassName}"/> <property name="url" value="${jdbc.url}"/> <property name="username" value="${jdbc.username}"/> <property name="password" value="${jdbc.password}"/> </bean> 

This way, you can put the password for decrypt the hidden property in an environment variable when you start the application and unset it later.

With Spring there is a better way: use the PropertyPlaceholderConfigurer class.

<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"> <property name="locations"> <value>classpath:com/foo/jdbc.properties</value> </property> <property name="propertiesPersister"> <bean class="com.mycompany.MyPropertyPersister" /> </property> </bean> <bean id="dataSource" destroy-method="close" class="org.apache.commons.dbcp.BasicDataSource"> <property name="driverClassName" value="${jdbc.driverClassName}"/> <property name="url" value="${jdbc.url}"/> <property name="username" value="${jdbc.username}"/> <property name="password" value="${jdbc.password}"/> </bean> 

When you specify a subclass of PropertiesPersister in the property placeholder, Spring load the jdbc.properties and decrypt the file using that class. Maybe something like:

public class MyPropertyPersister extends DefaultPropertiesPersister { // ... initializing stuff... public void load(Properties props, InputStream is) throws IOException { Cipher decrypter = getCipher(); InputStream cis = new CipherInputStream(is, decrypter); super.load(props, cis); } public void load(Properties props, Reader reader) throws IOException { ByteArrayOutputStream baos = new ByteArrayOutputStream(); IOUtils.copy(reader, baos); ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray()); Cipher decrypter = getCipher(); InputStream cis = new CipherInputStream(bais, decrypter); InputStreamReader realReader = new InputStreamReader(cis); super.load(props, realReader); } public void loadFromXml(Properties props, InputStream is) throws IOException { Cipher decrypter = getCipher(); InputStream cis = new CipherInputStream(is, decrypter); super.loadFromXml(props, cis); } ... other methods ... } 

Hope it helps.

With Spring there is a better way: use the PropertyPlaceholderConfigurer class.

<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"> <property name="locations"> <value>classpath:com/foo/jdbc.properties</value> </property> <property name="propertiesPersister"> <bean class="com.mycompany.MyPropertyPersister" /> </property> </bean> <bean id="dataSource" destroy-method="close" class="org.apache.commons.dbcp.BasicDataSource"> <property name="driverClassName" value="${jdbc.driverClassName}"/> <property name="url" value="${jdbc.url}"/> <property name="username" value="${jdbc.username}"/> <property name="password" value="${jdbc.password}"/> </bean> 

When you specify a subclass of PropertiesPersister in the property placeholder, Spring load the jdbc.properties and decrypt the file using that class. Maybe something like:

public class MyPropertyPersister extends DefaultPropertiesPersister { // ... initializing stuff... public void load(Properties props, InputStream is) throws IOException { Cipher decrypter = getCipher(); InputStream cis = new CipherInputStream(is, decrypter); super.load(props, cis); } public void load(Properties props, Reader reader) throws IOException { ByteArrayOutputStream baos = new ByteArrayOutputStream(); IOUtils.copy(reader, baos); ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray()); Cipher decrypter = getCipher(); InputStream cis = new CipherInputStream(bais, decrypter); InputStreamReader realReader = new InputStreamReader(cis); super.load(props, realReader); } public void loadFromXml(Properties props, InputStream is) throws IOException { Cipher decrypter = getCipher(); InputStream cis = new CipherInputStream(is, decrypter); super.loadFromXml(props, cis); }    private Cipher getCipher() { // return a Cipher to read the encrypted properties file  ...    }  ... } 

Hope it helps.