The value “ballerina” was encrypted using the secret “1234”.$ ballerina encryptEnter value:Enter secret:Re-enter secret to verify:Add the following to the runtime config:@encrypted:{92XujbVRx+rXspbI/8sbdpdrmBmMF1PBDnuVUJKdK/0=}Or add to the runtime command line:-e<param>=@encrypted:{92XujbVRx+rXspbI/8sbdpdrmBmMF1PBDnuVUJKdK/0=}The following is the updated config file, with the plain text password replaced with its encrypted version.Now let’s try running our echo service using this updated config file.$ ballerina run -c secure-echo.conf echo_service.bal ballerina: enter secret for config value decryption:Initiating service(s) in 'echo_service.bal'[ballerina/http] started HTTPS/WSS endpoint 0.0.0.0:9095[ballerina/http] started HTTP/WS endpoint 0.0.0.0:9090If the runtime detects any encrypted values in the configurations provided to it, it will prompt the user to enter the secret (the one used when encrypting the values)..Providing an incorrect secret will result in a panic.All the encrypted config values used when running a program should be encrypted using the same secret.Alternatively, you can place the secret in a file and point to it using the -e b7a.config.secret flag..When this flag is set, the runtime will read the secret from the file and delete the file..The user is not prompted to enter the secret in this case..This is the more practical way of providing the secret to the config API.Let’s try this out..Create a file (say, secret.txt) and place the secret in it (1234 in this case).$ lsecho_service.bal secret.txt secure-echo.confNow run the program with the b7a.config.secret flag set.$ ballerina run -c secure-echo.conf -e b7a.config.secret=secret.txt echo_service.balInitiating service(s) in 'echo_service.bal'[ballerina/http] started HTTPS/WSS endpoint 0.0.0.0:9095[ballerina/http] started HTTP/WS endpoint 0.0.0.0:9090As it can be seen, the user is not prompted..Now if we run ls again, we can see that the secret.txt file is deleted.$ lsecho_service.bal secure-echo.confFrom point of view of the code, there’s no distinction between how normal configurations and encrypted configurations are accessed: you retrieve it using the key..Internally, encrypted values are stored in the registry in its encrypted form while plain text values are stored in the registry as-is..The encrypted configs are decrypted on-demand using the secret provided at the start of the runtime.Reading Configurations from the EnvironmentA common requirement is for to provide the configurations to the program through environment variables..Therefore, let’s take a look at that as well..There are two cases to consider:Reading a configuration from the environmentOverriding a configuration in the config file using an environment variableIn both cases, we just have to set the environment variable and can then simply retrieve it using the key..However in the current implementation there’s a slight difference in behaviour between case 1 and 2 .. More details