microprofile-config-jasypt
Encrypted properties for Quarkus and Eclipse Microprofile Config.
Eclipse MicroProfile Config with Jasypt Encryption
An Eclipse Microprofile Config library for Jasypt-encrypted properties. This means you can use secrets in publicly accessible property files and decrypt them transparently at runtime.
- For an example on how to use this library with Quarkus see below.
- This repo requires at least Java 8 and is automatically tested on OpenJDK 11.
Encryption
First, encrypt a property. For example, either of the following two commands encrypts a property foo using a password pwd:
./microprofile-config-jasypt/encrypt.sh pwd foo
mvn -f microprofile-config-jasypt/pom.xml validate -Pencrypt -Djasypt.password=pwd -Dproperty=fooThis will print the encrypted property:
foo -> ENC(eu82k78q/boBye5P574UwNdafDuy9VRy19tdlmM9IeYXWkVIdChdZybEx41rRbdv)Then use the entire ENC(...)-delimited string as your property value, e.g. in a src/main/resources/application.properties
file.
The name of the property file is configurable, and it may be on the classpath or the filesystem. See the configuration section below for details.
Decryption
Add this to your pom.xml:
<dependency>
<groupId>com.github.chrisgleissner.config</groupId>
<artifactId>microprofile-config-jasypt</artifactId>
<version>1.0.5</version>
</dependency>Then add a file at src/main/resources/META-INF/services/org.eclipse.microprofile.config.spi.ConfigSource with the content
com.github.chrisgleissner.config.microprofile.jasypt.JasyptConfigSourceFinally set the JASYPT_PASSWORD environment variable when starting your application. As per the previous example, set JASYPT_PASSWORD=pwd.
Any ENC(...)-delimited property in a classpath:application.properties file (configurable) gets decoded at run-time.
Configuration
You can customize microprofile-config-jasypt via environment variables or system properties as per the following table.
Alternatively, you can subclass com.github.chrisgleissner.config.microprofile.jasypt.JasyptConfigSource,
override its methods, and specify the fully qualified name of your subclass in a
META-INF/services/org.eclipse.microprofile.config.spi.ConfigSource file on the classpath.
| Environment variable | System property name | Default value | Description |
|---|---|---|---|
JASYPT_PASSWORD |
jasypt.password |
none | Password used for encrypting property values |
JASYPT_KEY |
jasypt.key |
none | Synonym for JASYPT_PASSWORD |
JASYPT_ALGORITHM |
jasypt.algorithm |
PBEWithHMACSHA512AndAES_256 |
Encryption algorithm |
JASYPT_ITERATIONS |
jasypt.iterations |
1000 | Jasypt key obtention iterations |
JASYPT_PROPERTIES |
jasypt.properties |
classpath:application.properties,config/application.properties |
Comma-separated property filenames, see below. |
Property filenames specified via JASYPT_PROPERTIES are resolved against the classpath if using the classpath: prefix,
otherwise against the filesystem relative to the current working directory.
Encrypted Properties in Quarkus
Two Quarkus-based examples are included.
The microprofile-config-jasypt-quarkus-example
module shows how to configure the default JasyptConfigSource as per the instructions above:
- Encrypted properties can be used both for normal and for profile-specific properties, eg. properties with the
%prod.prefix. - For demonstration purposes only, the
LogPropertiesBeanin this module logs all properties on startup.
The microprofile-config-jasypt-quarkus-override-example
module expands on this and shows how to override
the default JasyptConfigSource with a CustomJasyptConfigSource.
Decryption Example
To verify successful decryption, run the following from the repository root:
mvn clean install
(cd microprofile-config-jasypt-quarkus-example && JASYPT_PASSWORD=pwd java -jar target/*-runner.jar)...and observe the log contains decrypted passwords:
2020-05-24 11:52:53,598 INFO [com.git.chr.con.mic.jas.qua.LogPropertiesBean] (main) ConfigSource(name=jasypt-config, ordinal=275):
{quarkus.datasource.password=sa, quarkus.log.console.color=true, quarkus.datasource.username=sa, quarkus.log.console.level=TRACE, quarkus.flyway.migrate-at-start=true, quarkus.hibernate-orm.database.generation=validate, config.password=sa, quarkus.datasource.db-kind=h2, quarkus.hibernate-orm.log.sql=false, quarkus.datasource.jdbc.url=jdbc:h2:mem:test, quarkus.log.console.enable=true, quarkus.http.port=8080}Failed Decryption Example
To verify a failed decryption, run the following from repository root whilst intentionally specifying a wrong JASYPT_PASSWORD:
mvn clean install
(cd microprofile-config-jasypt-quarkus-example && JASYPT_PASSWORD=wrong-pwd java -jar target/*-runner.jar)...and observe the log contains encrypted passwords:
2020-05-24 11:53:19,318 INFO [com.git.chr.con.mic.jas.qua.LogPropertiesBean] (main) ConfigSource(name=jasypt-config, ordinal=275):
{quarkus.datasource.password=ENC(MCK/0Y9BnM7WVAyNq4gxjcPpGkDvu379ymjnsN2GCtowKxiPJXFHiSK7jI4rYfop), quarkus.log.console.color=true, quarkus.datasource.username=sa, quarkus.log.console.level=TRACE, quarkus.flyway.migrate-at-start=true, quarkus.hibernate-orm.database.generation=validate, config.password=ENC(MCK/0Y9BnM7WVAyNq4gxjcPpGkDvu379ymjnsN2GCtowKxiPJXFHiSK7jI4rYfop), quarkus.datasource.db-kind=h2, quarkus.hibernate-orm.log.sql=false, quarkus.datasource.jdbc.url=jdbc:h2:mem:test, quarkus.log.console.enable=true, quarkus.http.port=8080}