diff --git a/src/main/java/com/spring/modules/sys/controller/SysUserController.java b/src/main/java/com/spring/modules/sys/controller/SysUserController.java
index 6660e588..33b86482 100644
--- a/src/main/java/com/spring/modules/sys/controller/SysUserController.java
+++ b/src/main/java/com/spring/modules/sys/controller/SysUserController.java
@@ -221,4 +221,15 @@ public class SysUserController extends AbstractController {
 		sysUserService.update(user);
 		return R.ok();
 	}
+
+	/**
+	 * 批量将明文 ifs_password 转换为 AES 加密存储
+	 */
+	@SysLog("批量加密IFS密码")
+	@PostMapping("/batchEncryptIfsPassword")
+	@RequiresPermissions("sys:user:save")
+	public R batchEncryptIfsPassword() {
+		int count = sysUserService.batchEncryptIfsPassword();
+		return R.ok().put("count", count);
+	}
 }
diff --git a/src/main/java/com/spring/modules/sys/service/SysUserService.java b/src/main/java/com/spring/modules/sys/service/SysUserService.java
index 52be5705..f0474b09 100644
--- a/src/main/java/com/spring/modules/sys/service/SysUserService.java
+++ b/src/main/java/com/spring/modules/sys/service/SysUserService.java
@@ -95,4 +95,10 @@ public interface SysUserService extends IService<SysUserEntity> {
 	* @version 1.0
 	*/
     SysUserEntity queryByDomainControlAccount(String username);
+
+	/**
+	 * 批量将明文 ifs_password 转换为 AES 加密存储，已加密的自动跳过。
+	 * @return 本次处理的用户数
+	 */
+	int batchEncryptIfsPassword();
 }
diff --git a/src/main/java/com/spring/modules/sys/service/impl/SysUserServiceImpl.java b/src/main/java/com/spring/modules/sys/service/impl/SysUserServiceImpl.java
index 3f9d6ada..a1bc1402 100644
--- a/src/main/java/com/spring/modules/sys/service/impl/SysUserServiceImpl.java
+++ b/src/main/java/com/spring/modules/sys/service/impl/SysUserServiceImpl.java
@@ -236,4 +236,27 @@ public class SysUserServiceImpl extends ServiceImpl<SysUserDao, SysUserEntity> i
 		return baseMapper.queryByDomainControlAccount(username);
 	}
 
+	@Override
+	@Transactional
+	public int batchEncryptIfsPassword() {
+		// 查询所有设置了 ifs_password 的用户
+		// EncryptTypeHandler.decrypt() 对明文向下兼容（无 ENC: 前缀直接原样返回），
+		// 所以读出的 ifsPassword 始终是明文；
+		// 回写时 EncryptTypeHandler.encrypt() 会加上 ENC: 前缀，
+		// 已加密的值 encrypt() 会自动跳过，保证幂等。
+		List<SysUserEntity> users = this.lambdaQuery()
+				.isNotNull(SysUserEntity::getIfsPassword)
+				.ne(SysUserEntity::getIfsPassword, "")
+				.list();
+		int count = 0;
+		for (SysUserEntity user : users) {
+			SysUserEntity updateEntity = new SysUserEntity();
+			updateEntity.setIfsPassword(user.getIfsPassword());
+			this.update(updateEntity,
+					new QueryWrapper<SysUserEntity>().eq("user_id", user.getUserId()));
+			count++;
+		}
+		return count;
+	}
+
 }