Secrets should never be stored in plaintext, and once stored, should never be sent back to the browser in plaintext. Declare the field and the bean property to be of type hudson.util.Secret, so it is protected by the master key. Form data binding with <f:password> and @DataBoundConstructor automatically deals with this; since you seem to be managing this form manually, just use fromString to convert an initially entered password, and for round-trips use getEncryptedValue and again fromString. XStream serialization will properly automatically. PR upon request.