diff --git a/apps/terminal/api/component/terminal.py b/apps/terminal/api/component/terminal.py
index 6d4c141d1..defe33773 100644
--- a/apps/terminal/api/component/terminal.py
+++ b/apps/terminal/api/component/terminal.py
@@ -1,24 +1,26 @@
 # -*- coding: utf-8 -*-
 #
 import logging
-from django.db.models import Q
+
 from django.conf import settings
+from django.db.models import Q
 from django.utils.translation import gettext_lazy as _
+from django_filters import rest_framework as filters
 from rest_framework import generics
 from rest_framework import status
 from rest_framework.views import APIView, Response
-from django_filters import rest_framework as filters
 
-from common.drf.filters import BaseFilterSet
 from common.api import JMSBulkModelViewSet
+from common.drf.filters import BaseFilterSet
 from common.exceptions import JMSException
-from common.permissions import WithBootstrapToken
+from common.permissions import WithBootstrapToken, IsServiceAccount
+from jumpserver.conf import ConfigCrypto
 from terminal import serializers
 from terminal.models import Terminal
 
 __all__ = [
     'TerminalViewSet', 'TerminalConfig',
-    'TerminalRegistrationApi',
+    'TerminalRegistrationApi', 'EncryptedTerminalConfig'
 ]
 logger = logging.getLogger(__file__)
 
@@ -89,3 +91,17 @@ class TerminalRegistrationApi(generics.CreateAPIView):
             return Response(data=data, status=status.HTTP_400_BAD_REQUEST)
         return super().create(request, *args, **kwargs)
 
+
+class EncryptedTerminalConfig(generics.CreateAPIView):
+    serializer_class = serializers.EncryptedConfigSerializer
+    permission_classes = [IsServiceAccount]
+    http_method_names = ['post']
+
+    def post(self, request, *args, **kwargs):
+        serializer = self.serializer_class(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        encrypt_key = serializer.validated_data['secret_encrypt_key']
+        encrypted_value = serializer.validated_data['encrypted_value']
+        config_crypto = ConfigCrypto(encrypt_key)
+        value = config_crypto.decrypt(encrypted_value)
+        return Response(data={'value': value}, status=200)
diff --git a/apps/terminal/serializers/terminal.py b/apps/terminal/serializers/terminal.py
index a65249551..1040034aa 100644
--- a/apps/terminal/serializers/terminal.py
+++ b/apps/terminal/serializers/terminal.py
@@ -147,3 +147,8 @@ class ConnectMethodSerializer(serializers.Serializer):
     type = serializers.CharField(max_length=128)
     endpoint_protocol = serializers.CharField(max_length=128)
     component = serializers.CharField(max_length=128)
+
+
+class EncryptedConfigSerializer(serializers.Serializer):
+    secret_encrypt_key = serializers.CharField(max_length=128)
+    encrypted_value = serializers.CharField(max_length=128)
diff --git a/apps/terminal/urls/api_urls.py b/apps/terminal/urls/api_urls.py
index 258e2f0d1..0467f295e 100644
--- a/apps/terminal/urls/api_urls.py
+++ b/apps/terminal/urls/api_urls.py
@@ -54,6 +54,7 @@ urlpatterns = [
     # components
     path('components/metrics/', api.ComponentsMetricsAPIView.as_view(), name='components-metrics'),
     path('components/connect-methods/', api.ConnectMethodListApi.as_view(), name='connect-methods'),
+    path('encrypted-config/', api.EncryptedTerminalConfig.as_view(), name='encrypted-terminal-config'),
 ]
 
 urlpatterns += router.urls