Encrypted Datasource Plugin

Available since 2.1.0 (Rundeck PRO Version History)

This plugin provides a way to store your dataSource.password in an encrypted form inside your file.


This plugin behavior may change in the future.


This plugin uses Jasypt to easily encrypt/decrypt passwords, and a simple way to use them within your rundeck config file.

To encrypt the password, follow the instructions below:

  1. Encrypt a password. You do this by providing a master password.
  2. Convert your rundeck config file to groovy format

When Rundeck server starts up, it requires the master password to be available to let it decrypt the database password. You can provide the master password at startup in several ways:

  1. Enter it on the console. (default). Rundeck will prompt for the master password at startup.
  2. Define an environment variable available to the server at startup: RD_ENCRYPTION_DEFAULT_PASSWORD

You can define multiple “master passwords”. The default is called “default”, but you can define a “db” password, etc.

You specify which “master password” configuration to use when you encrypt/decrypt the password.

Encrypt Password

To encrypt the database password, use the encrypt command.

Usage: encrypt [config] [value]

  • config (configuration name), default: “default”
  • value value to encrypt/decrypt (prompted if not provided)


[rundeck ~]$ java -cp server/exp/webapp/WEB-INF/lib/grails-plugin-encrypt-datasource-password-2.1.0.jar:server/exp/webapp/WEB-INF/lib/* \ 
  rundeck.codecs.EncryptCodec encrypt 'password'
Enter master password for [default]: 

Move the to a rundeck-config.groovy

See the FAQ about converting to groovy format.

Specify the new file path at startup:

  • Launcher:

      java -jar rundeck-launcher.jar
  • RPM: Add this to the /etc/sysconfig/rundeckd file:

      export RDECK_CONFIG_FILE="/etc/rundeck/rundeck-config.groovy"
  • DEB: Add this to the /etc/default/rundeckd file:

      export RDECK_CONFIG_FILE="/etc/rundeck/rundeck-config.groovy"

Verify the groovy config change

After you convert to rundeck-config.groovy format, it is best to restart the Rundeck server and verify your configuration works the same, before replacing the plaintext datasource password.

Edit rundeck-config.groovy to encrypt the datasource password:

After you have converted to .groovy format, add the lines shown below. In place of the cleartext database password, you would use decrypt 'encryptedpassword','default', true.

This means to decrypt the encrypted password, using the default configuration, and to allow prompting on the console for the password.

The default is the default configuration, and true for prompting on the console, so this is the same: decrypt 'encryptedpassword'. You can specify a different configuration name, or use false to prevent console prompting.

//add import statement for the decrypt command
import static rundeck.codecs.EncryptCodec.decrypt


//set the password to the result of decrypting
dataSource.password=decrypt 'encryptedpassword'

And the system environment should be defined as:

[rundeck ~]$ export RD_ENCRYPTION_DEFAULT_PASSWORD=myDefaultmasterpassword

Note: if you use a different configuration name, be sure to specify that in the decrypt '...','configname' line, as well as the Environment variable, eg. RD_ENCRYPTION_DB_PASSWORD=myDBmasterpassword

Restart Rundeck

  • if the container is tomcat, and the secret key will be added using console. It is necessary to start tomcat with start or catalina.bat start