Before you can use the keystore based encryption service, you have to create a keystore file using the Java keytool command. The keystore will contain the keys used for encryption and decryption. On the command prompt type:

keytool -genkeypair -keyalg RSA
    -keystore <KEYSTORE_FILENAME>
    -storepass <KEYSTORE_PASSWORD>
    -alias <KEY_ALIAS>
    -keypass <KEY_PASSWORD>

For secure usage at command line, it is not recommended to provide passwords directly on the command line. Use the secure input by not presenting a value for the password options. The keytool will prompt for secure password input. For details, see the documentation of keytool. Certain keystore types require identical passwords for the keystore and key. You will get an appropriate warning when generating the key in this case.

Note

For the above-mentioned command, the generated PKCS12 KeyStore needs to have the same KEY_PASSWORD and KEYSTORE_PASSWORD.

The keytool will prompt you for your username, organizational unit, organization, city, state/province and country code. This information (which goes into your self-signed certificate) is not relevant for the keystore to work properly. The resulting key/certificate will be valid for 90 days unless you specify another validity duration using the validity option. Note that you have to update the stored encrypted values when your keypair changes. Chose your keystore validity carefully.

The next step is to configure the keystore encryption service. This is described in the following sections. The recommended way is to use the Spring Boot configuration properties.