diff --git a/core/spring/src/main/java/org/apache/syncope/core/spring/security/Encryptor.java b/core/spring/src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
index 52db5fbf8f1..9836166f1fc 100644
--- a/core/spring/src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
+++ b/core/spring/src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
@@ -53,8 +53,14 @@ public static Encryptor getInstance() {
     }
 
     public static Encryptor getInstance(final String secretKey) {
-        String actualKey = StringUtils.isBlank(secretKey) ? DEFAULT_SECRET_KEY : secretKey;
-
+        LOG.info("using custom encryptor");
+
+        // this is the change done by us which changes the secretKey usage in the following way:
+        // old: first secretKey parameter, then default secretKey
+        // new: first secretKey parameter, then secretKey from security.secretKey property, then default secretKey
+        SecurityProperties securityProperties = ApplicationContextProvider.getApplicationContext().getBean(SecurityProperties.class);
+        String secretKeyFromProperties = securityProperties.getSecretKey() == null ? DEFAULT_SECRET_KEY : securityProperties.getSecretKey();
+        String actualKey = StringUtils.isBlank(secretKey) ? secretKeyFromProperties : secretKey;
         Encryptor instance = INSTANCES.get(actualKey);
         if (instance == null) {
             instance = new Encryptor(actualKey);