diff --git a/continew-admin-common/pom.xml b/continew-admin-common/pom.xml
index c6d6c3ce..64730951 100644
--- a/continew-admin-common/pom.xml
+++ b/continew-admin-common/pom.xml
@@ -96,6 +96,12 @@
             <artifactId>continew-starter-file-excel</artifactId>
         </dependency>
 
+        <!-- ContiNew Starter 安全模块 - 加密 -->
+        <dependency>
+            <groupId>top.charles7c.continew</groupId>
+            <artifactId>continew-starter-security-crypto</artifactId>
+        </dependency>
+
         <!-- ContiNew Starter 安全模块 - 脱敏 -->
         <dependency>
             <groupId>top.charles7c.continew</groupId>
diff --git a/continew-admin-common/src/main/java/top/charles7c/continew/admin/common/config/mybatis/BCryptEncryptor.java b/continew-admin-common/src/main/java/top/charles7c/continew/admin/common/config/mybatis/BCryptEncryptor.java
new file mode 100644
index 00000000..26ff301e
--- /dev/null
+++ b/continew-admin-common/src/main/java/top/charles7c/continew/admin/common/config/mybatis/BCryptEncryptor.java
@@ -0,0 +1,29 @@
+package top.charles7c.continew.admin.common.config.mybatis;
+
+import org.springframework.security.crypto.password.PasswordEncoder;
+import top.charles7c.continew.starter.security.crypto.encryptor.IEncryptor;
+
+/**
+ * BCrypt 加/解密处理器（不可逆）
+ *
+ * @author Charles7c
+ * @since 2024/2/8 22:29
+ */
+public class BCryptEncryptor implements IEncryptor {
+
+    private final PasswordEncoder passwordEncoder;
+
+    public BCryptEncryptor(PasswordEncoder passwordEncoder) {
+        this.passwordEncoder = passwordEncoder;
+    }
+
+    @Override
+    public String encrypt(String plaintext, String password, String publicKey) throws Exception {
+        return passwordEncoder.encode(plaintext);
+    }
+
+    @Override
+    public String decrypt(String ciphertext, String password, String privateKey) throws Exception {
+        return ciphertext;
+    }
+}
diff --git a/continew-admin-common/src/main/java/top/charles7c/continew/admin/common/config/mybatis/MybatisPlusConfiguration.java b/continew-admin-common/src/main/java/top/charles7c/continew/admin/common/config/mybatis/MybatisPlusConfiguration.java
index 54905749..681ceed6 100644
--- a/continew-admin-common/src/main/java/top/charles7c/continew/admin/common/config/mybatis/MybatisPlusConfiguration.java
+++ b/continew-admin-common/src/main/java/top/charles7c/continew/admin/common/config/mybatis/MybatisPlusConfiguration.java
@@ -21,6 +21,7 @@ import org.springframework.context.annotation.Configuration;
 
 import com.baomidou.mybatisplus.core.handlers.MetaObjectHandler;
 
+import org.springframework.security.crypto.password.PasswordEncoder;
 import top.charles7c.continew.starter.data.mybatis.plus.datapermission.DataPermissionFilter;
 
 /**
@@ -47,4 +48,12 @@ public class MybatisPlusConfiguration {
     public DataPermissionFilter dataPermissionFilter() {
         return new DataPermissionFilterImpl();
     }
+
+    /**
+     * BCrypt 加/解密处理器
+     */
+    @Bean
+    public BCryptEncryptor bCryptEncryptor(PasswordEncoder passwordEncoder) {
+        return new BCryptEncryptor(passwordEncoder);
+    }
 }
diff --git a/continew-admin-common/src/main/java/top/charles7c/continew/admin/common/config/properties/RsaProperties.java b/continew-admin-common/src/main/java/top/charles7c/continew/admin/common/config/properties/RsaProperties.java
index ddf39acd..1e003fb9 100644
--- a/continew-admin-common/src/main/java/top/charles7c/continew/admin/common/config/properties/RsaProperties.java
+++ b/continew-admin-common/src/main/java/top/charles7c/continew/admin/common/config/properties/RsaProperties.java
@@ -31,7 +31,7 @@ public class RsaProperties {
     public static final String PRIVATE_KEY;
 
     static {
-        PRIVATE_KEY = SpringUtil.getProperty("rsa.privateKey");
+        PRIVATE_KEY = SpringUtil.getProperty("continew-starter.security.crypto.private-key");
     }
 
     private RsaProperties() {
diff --git a/continew-admin-system/src/main/java/top/charles7c/continew/admin/system/model/entity/UserDO.java b/continew-admin-system/src/main/java/top/charles7c/continew/admin/system/model/entity/UserDO.java
index 32361639..b135f53e 100644
--- a/continew-admin-system/src/main/java/top/charles7c/continew/admin/system/model/entity/UserDO.java
+++ b/continew-admin-system/src/main/java/top/charles7c/continew/admin/system/model/entity/UserDO.java
@@ -16,16 +16,17 @@
 
 package top.charles7c.continew.admin.system.model.entity;
 
-import java.io.Serial;
-import java.time.LocalDateTime;
-
-import lombok.Data;
-
 import com.baomidou.mybatisplus.annotation.TableName;
-
+import lombok.Data;
+import top.charles7c.continew.admin.common.config.mybatis.BCryptEncryptor;
 import top.charles7c.continew.admin.common.enums.DisEnableStatusEnum;
 import top.charles7c.continew.admin.common.enums.GenderEnum;
 import top.charles7c.continew.starter.extension.crud.model.entity.BaseDO;
+import top.charles7c.continew.starter.security.crypto.annotation.FieldEncrypt;
+import top.charles7c.continew.starter.security.crypto.enums.Algorithm;
+
+import java.io.Serial;
+import java.time.LocalDateTime;
 
 /**
  * 用户实体
@@ -53,6 +54,7 @@ public class UserDO extends BaseDO {
     /**
      * 密码
      */
+    @FieldEncrypt(encryptor = BCryptEncryptor.class)
     private String password;
 
     /**
@@ -63,11 +65,13 @@ public class UserDO extends BaseDO {
     /**
      * 邮箱
      */
+    @FieldEncrypt(Algorithm.AES)
     private String email;
 
     /**
      * 手机号码
      */
+    @FieldEncrypt(Algorithm.AES)
     private String phone;
 
     /**
diff --git a/continew-admin-system/src/main/java/top/charles7c/continew/admin/system/service/impl/UserServiceImpl.java b/continew-admin-system/src/main/java/top/charles7c/continew/admin/system/service/impl/UserServiceImpl.java
index a486e65c..ef3fd45e 100644
--- a/continew-admin-system/src/main/java/top/charles7c/continew/admin/system/service/impl/UserServiceImpl.java
+++ b/continew-admin-system/src/main/java/top/charles7c/continew/admin/system/service/impl/UserServiceImpl.java
@@ -93,7 +93,6 @@ public class UserServiceImpl extends BaseServiceImpl<UserMapper, UserDO, UserRes
         String phone = req.getPhone();
         CheckUtils.throwIf(StrUtil.isNotBlank(phone) && this.isPhoneExists(phone, null), errorMsgTemplate, phone);
         req.setStatus(DisEnableStatusEnum.ENABLE);
-        req.setPassword(passwordEncoder.encode(req.getPassword()));
     }
 
     @Override
@@ -201,12 +200,9 @@ public class UserServiceImpl extends BaseServiceImpl<UserMapper, UserDO, UserRes
             CheckUtils.throwIf(!passwordEncoder.matches(oldPassword, password), "当前密码错误");
         }
         // 更新密码和密码重置时间
-        LocalDateTime now = LocalDateTime.now();
-        baseMapper.lambdaUpdate()
-            .set(UserDO::getPassword, passwordEncoder.encode(newPassword))
-            .set(UserDO::getPwdResetTime, now)
-            .eq(UserDO::getId, id)
-            .update();
+        user.setPassword(newPassword);
+        user.setPwdResetTime(LocalDateTime.now());
+        baseMapper.updateById(user);
     }
 
     @Override
@@ -234,7 +230,7 @@ public class UserServiceImpl extends BaseServiceImpl<UserMapper, UserDO, UserRes
     @Override
     public void resetPassword(UserPasswordResetReq req, Long id) {
         UserDO user = super.getById(id);
-        user.setPassword(passwordEncoder.encode(req.getNewPassword()));
+        user.setPassword(req.getNewPassword());
         user.setPwdResetTime(LocalDateTime.now());
         baseMapper.updateById(user);
     }
diff --git a/continew-admin-webapi/src/main/resources/config/application-dev.yml b/continew-admin-webapi/src/main/resources/config/application-dev.yml
index cee37c3f..8fcd9581 100644
--- a/continew-admin-webapi/src/main/resources/config/application-dev.yml
+++ b/continew-admin-webapi/src/main/resources/config/application-dev.yml
@@ -236,6 +236,16 @@ sa-token.extension:
     # 本地存储资源
     - /file/**
 
+--- ### 字段加/解密配置
+continew-starter.security:
+  crypto:
+    enabled: true
+    # 对称加密算法密钥
+    password: abcdefghijklmnop
+    # 非对称加密算法密钥（在线生成 RSA 密钥对：http://web.chacuo.net/netrsakeypair）
+    public-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAM51dgYtMyF+tTQt80sfFOpSV27a7t9uaUVeFrdGiVxscuizE7H8SMntYqfn9lp8a5GH5P1/GGehVjUD2gF/4kcCAwEAAQ==
+    private-key: MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAznV2Bi0zIX61NC3zSx8U6lJXbtru325pRV4Wt0aJXGxy6LMTsfxIye1ip+f2WnxrkYfk/X8YZ6FWNQPaAX/iRwIDAQABAkEAk/VcAusrpIqA5Ac2P5Tj0VX3cOuXmyouaVcXonr7f+6y2YTjLQuAnkcfKKocQI/juIRQBFQIqqW/m1nmz1wGeQIhAO8XaA/KxzOIgU0l/4lm0A2Wne6RokJ9HLs1YpOzIUmVAiEA3Q9DQrpAlIuiT1yWAGSxA9RxcjUM/1kdVLTkv0avXWsCIE0X8woEjK7lOSwzMG6RpEx9YHdopjViOj1zPVH61KTxAiBmv/dlhqkJ4rV46fIXELZur0pj6WC3N7a4brR8a+CLLQIhAMQyerWl2cPNVtE/8tkziHKbwW3ZUiBXU24wFxedT9iV
+
 --- ### 密码编码器配置
 continew-starter.security:
   password:
@@ -243,11 +253,6 @@ continew-starter.security:
     # BCryptPasswordEncoder
     encoding-id: bcrypt
 
---- ### 非对称加密配置（例如：密码加密传输，前端公钥加密，后端私钥解密；在线生成 RSA 密钥对：http://web.chacuo.net/netrsakeypair）
-rsa:
-  # 私钥
-  privateKey: MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAznV2Bi0zIX61NC3zSx8U6lJXbtru325pRV4Wt0aJXGxy6LMTsfxIye1ip+f2WnxrkYfk/X8YZ6FWNQPaAX/iRwIDAQABAkEAk/VcAusrpIqA5Ac2P5Tj0VX3cOuXmyouaVcXonr7f+6y2YTjLQuAnkcfKKocQI/juIRQBFQIqqW/m1nmz1wGeQIhAO8XaA/KxzOIgU0l/4lm0A2Wne6RokJ9HLs1YpOzIUmVAiEA3Q9DQrpAlIuiT1yWAGSxA9RxcjUM/1kdVLTkv0avXWsCIE0X8woEjK7lOSwzMG6RpEx9YHdopjViOj1zPVH61KTxAiBmv/dlhqkJ4rV46fIXELZur0pj6WC3N7a4brR8a+CLLQIhAMQyerWl2cPNVtE/8tkziHKbwW3ZUiBXU24wFxedT9iV
-
 --- ### 文件上传配置
 spring.servlet:
   multipart:
diff --git a/continew-admin-webapi/src/main/resources/config/application-prod.yml b/continew-admin-webapi/src/main/resources/config/application-prod.yml
index dd86a414..0aad6afa 100644
--- a/continew-admin-webapi/src/main/resources/config/application-prod.yml
+++ b/continew-admin-webapi/src/main/resources/config/application-prod.yml
@@ -235,6 +235,16 @@ sa-token.extension:
     # 本地存储资源
     - /file/**
 
+--- ### 字段加/解密配置
+continew-starter.security:
+  crypto:
+    enabled: true
+    # 对称加密算法密钥
+    password: abcdefghijklmnop
+    # 非对称加密算法密钥（在线生成 RSA 密钥对：http://web.chacuo.net/netrsakeypair）
+    public-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAM51dgYtMyF+tTQt80sfFOpSV27a7t9uaUVeFrdGiVxscuizE7H8SMntYqfn9lp8a5GH5P1/GGehVjUD2gF/4kcCAwEAAQ==
+    private-key: MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAznV2Bi0zIX61NC3zSx8U6lJXbtru325pRV4Wt0aJXGxy6LMTsfxIye1ip+f2WnxrkYfk/X8YZ6FWNQPaAX/iRwIDAQABAkEAk/VcAusrpIqA5Ac2P5Tj0VX3cOuXmyouaVcXonr7f+6y2YTjLQuAnkcfKKocQI/juIRQBFQIqqW/m1nmz1wGeQIhAO8XaA/KxzOIgU0l/4lm0A2Wne6RokJ9HLs1YpOzIUmVAiEA3Q9DQrpAlIuiT1yWAGSxA9RxcjUM/1kdVLTkv0avXWsCIE0X8woEjK7lOSwzMG6RpEx9YHdopjViOj1zPVH61KTxAiBmv/dlhqkJ4rV46fIXELZur0pj6WC3N7a4brR8a+CLLQIhAMQyerWl2cPNVtE/8tkziHKbwW3ZUiBXU24wFxedT9iV
+
 --- ### 密码编码器配置
 continew-starter.security:
   password:
@@ -242,11 +252,6 @@ continew-starter.security:
     # BCryptPasswordEncoder
     encoding-id: bcrypt
 
---- ### 非对称加密配置（例如：密码加密传输，前端公钥加密，后端私钥解密；在线生成 RSA 密钥对：http://web.chacuo.net/netrsakeypair）
-rsa:
-  # 私钥
-  privateKey: MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAznV2Bi0zIX61NC3zSx8U6lJXbtru325pRV4Wt0aJXGxy6LMTsfxIye1ip+f2WnxrkYfk/X8YZ6FWNQPaAX/iRwIDAQABAkEAk/VcAusrpIqA5Ac2P5Tj0VX3cOuXmyouaVcXonr7f+6y2YTjLQuAnkcfKKocQI/juIRQBFQIqqW/m1nmz1wGeQIhAO8XaA/KxzOIgU0l/4lm0A2Wne6RokJ9HLs1YpOzIUmVAiEA3Q9DQrpAlIuiT1yWAGSxA9RxcjUM/1kdVLTkv0avXWsCIE0X8woEjK7lOSwzMG6RpEx9YHdopjViOj1zPVH61KTxAiBmv/dlhqkJ4rV46fIXELZur0pj6WC3N7a4brR8a+CLLQIhAMQyerWl2cPNVtE/8tkziHKbwW3ZUiBXU24wFxedT9iV
-
 --- ### 文件上传配置
 spring.servlet:
   multipart:
diff --git a/continew-admin-webapi/src/main/resources/db/changelog/v2.4.0/continew-admin_column.sql b/continew-admin-webapi/src/main/resources/db/changelog/v2.4.0/continew-admin_column.sql
index 7a628713..252710ab 100644
--- a/continew-admin-webapi/src/main/resources/db/changelog/v2.4.0/continew-admin_column.sql
+++ b/continew-admin-webapi/src/main/resources/db/changelog/v2.4.0/continew-admin_column.sql
@@ -5,4 +5,8 @@ ALTER TABLE `sys_log` ADD COLUMN `trace_id` varchar(255) NULL COMMENT '链路ID'
 
 -- changeset Charles7c:2
 ALTER TABLE `sys_user`
-    MODIFY COLUMN `password` varchar(255) DEFAULT NULL COMMENT '密码（加密）' AFTER `nickname`;
\ No newline at end of file
+    MODIFY COLUMN `password` varchar(255) DEFAULT NULL COMMENT '密码（加密）' AFTER `nickname`;
+
+-- changeset Charles7c:3
+ALTER TABLE `sys_user`
+    MODIFY COLUMN `phone` varchar(255) DEFAULT NULL COMMENT '手机号码' AFTER `email`;
\ No newline at end of file
diff --git a/continew-admin-webapi/src/main/resources/db/changelog/v2.4.0/continew-admin_data.sql b/continew-admin-webapi/src/main/resources/db/changelog/v2.4.0/continew-admin_data.sql
index c461745e..5f388f77 100644
--- a/continew-admin-webapi/src/main/resources/db/changelog/v2.4.0/continew-admin_data.sql
+++ b/continew-admin-webapi/src/main/resources/db/changelog/v2.4.0/continew-admin_data.sql
@@ -2,4 +2,8 @@
 
 -- changeset Charles7c:1
 UPDATE `sys_user` SET `password` = '{bcrypt}$2a$10$4jGwK2BMJ7FgVR.mgwGodey8.xR8FLoU1XSXpxJ9nZQt.pufhasSa' WHERE `username` = 'admin';
-UPDATE `sys_user` SET `password` = '{bcrypt}$2a$10$meMbyso06lupZjxT88fG8undZo6.DSNUmifRfnnre8r/s13ciq6M6' WHERE `username` = 'test';
\ No newline at end of file
+UPDATE `sys_user` SET `password` = '{bcrypt}$2a$10$meMbyso06lupZjxT88fG8undZo6.DSNUmifRfnnre8r/s13ciq6M6' WHERE `username` = 'test';
+
+-- changeset Charles7c:2
+UPDATE `sys_user` SET `email` = '42190c6c5639d2ca4edb4150a35e058559ccf8270361a23745a2fd285a273c28' WHERE `username` = 'admin';
+UPDATE `sys_user` SET `phone` = '5bda89a4609a65546422ea56bfe5eab4' WHERE `username` = 'admin';
