It is not possible to provide they encryption key properties in later stage of application startup (e.g via EnvironmentPostProcessor).

[kvmw]

Describe the bug
TextEncryptorConfigBootstrapper.java#L67-L85 promotes KeyProperties, RsaProperties and TextEncryptor beans to ApplicationContext. When key properties are not available during bootstrap, default instances of KeyProperties, RsaProperties, and TextEncryptor (FailsafeTextEncryptor) are promoted.

In later stage of startup, if key properties are supplied (in my case via EnvironmentPostProcessor), they will be ignored by AutoConfiguration classes, because the relevant bean (TextEncryptor) is present in the ApplicationContext.

Sample

A simple spring-boot app like the following, with org.springframework.cloud:spring-cloud-config-server as dependency, shows the issue:

@SpringBootApplication
public class DemoApplication {

	public static void main(String[] args) {
		SpringApplication.run(DemoApplication.class, args);
	}
}

class Processor implements EnvironmentPostProcessor {
	@Override
	public void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application) {
		final MutablePropertySources propertySources = environment.getPropertySources();

		propertySources.addFirst(new MapPropertySource("test", Map.of("encrypt.key", "my-secret-key")));
	}
}


@Component
class Test {

	@Autowired
	private TextEncryptor encryptor;

	@PostConstruct
	void test() {
		System.out.println("### Encryptor:: " + encryptor.getClass().getSimpleName());
	}
}

sample output:

### Encryptor:: FailsafeTextEncryptor

The output shows that FailsafeTextEncryptor is registered which cannot encrypt/decrypt any secret.

Workaround

Currently I workaround the issue by enabling the legacy bootstrap (e.g adding org.springframework.cloud:spring-cloud-starter-bootstrap as dependency). See the if condition in TextEncryptorConfigBootstrapper.java#L69-L71 which cancels the promotion, in case legacy bootstrap is enabled.