Encrypted properties for Quarkus and Eclipse Microprofile Config.
An Eclipse Microprofile Config library for Jasypt-encrypted properties. This means you can use secrets in publicly accessible property files and decrypt them transparently at runtime.
- For an example on how to use this library with Quarkus see below.
- This repo requires at least Java 8 and is automatically tested on OpenJDK 11.
First, encrypt a property. For example, either of the following two commands encrypts a property foo
using a password pwd
:
./microprofile-config-jasypt/encrypt.sh pwd foo
mvn -f microprofile-config-jasypt/pom.xml validate -Pencrypt -Djasypt.password=pwd -Dproperty=foo
This will print the encrypted property:
foo -> ENC(eu82k78q/boBye5P574UwNdafDuy9VRy19tdlmM9IeYXWkVIdChdZybEx41rRbdv)
Then use the entire ENC(...)
-delimited string as your property value, e.g. in a src/main/resources/application.properties
file.
The name of the property file is configurable, and it may be on the classpath or the filesystem. See the configuration section below for details.
Add this to your pom.xml
:
<dependency>
<groupId>com.github.chrisgleissner.config</groupId>
<artifactId>microprofile-config-jasypt</artifactId>
<version>1.0.5</version>
</dependency>
Then add a file at src/main/resources/META-INF/services/org.eclipse.microprofile.config.spi.ConfigSource
with the content
com.github.chrisgleissner.config.microprofile.jasypt.JasyptConfigSource
Finally set the JASYPT_PASSWORD
environment variable when starting your application. As per the previous example, set JASYPT_PASSWORD=pwd
.
Any ENC(...)
-delimited property in a classpath:application.properties
file (configurable) gets decoded at run-time.
You can customize microprofile-config-jasypt
via environment variables or system properties as per the following table.
Alternatively, you can subclass com.github.chrisgleissner.config.microprofile.jasypt.JasyptConfigSource
,
override its methods, and specify the fully qualified name of your subclass in a
META-INF/services/org.eclipse.microprofile.config.spi.ConfigSource
file on the classpath.
Environment variable | System property name | Default value | Description |
---|---|---|---|
JASYPT_PASSWORD |
jasypt.password |
none | Password used for encrypting property values |
JASYPT_KEY |
jasypt.key |
none | Synonym for JASYPT_PASSWORD |
JASYPT_ALGORITHM |
jasypt.algorithm |
PBEWithHMACSHA512AndAES_256 |
Encryption algorithm |
JASYPT_ITERATIONS |
jasypt.iterations |
1000 | Jasypt key obtention iterations |
JASYPT_PROPERTIES |
jasypt.properties |
classpath:application.properties,config/application.properties |
Comma-separated property filenames, see below. |
Property filenames specified via JASYPT_PROPERTIES
are resolved against the classpath if using the classpath:
prefix,
otherwise against the filesystem relative to the current working directory.
Two Quarkus-based examples are included.
The microprofile-config-jasypt-quarkus-example
module shows how to configure the default JasyptConfigSource
as per the instructions above:
- Encrypted properties can be used both for normal and for profile-specific properties, eg. properties with the
%prod.
prefix. - For demonstration purposes only, the
LogPropertiesBean
in this module logs all properties on startup.
The microprofile-config-jasypt-quarkus-override-example
module expands on this and shows how to override
the default JasyptConfigSource
with a CustomJasyptConfigSource
.
To verify successful decryption, run the following from the repository root:
mvn clean install
(cd microprofile-config-jasypt-quarkus-example && JASYPT_PASSWORD=pwd java -jar target/*-runner.jar)
...and observe the log contains decrypted passwords:
2020-05-24 11:52:53,598 INFO [com.git.chr.con.mic.jas.qua.LogPropertiesBean] (main) ConfigSource(name=jasypt-config, ordinal=275):
{quarkus.datasource.password=sa, quarkus.log.console.color=true, quarkus.datasource.username=sa, quarkus.log.console.level=TRACE, quarkus.flyway.migrate-at-start=true, quarkus.hibernate-orm.database.generation=validate, config.password=sa, quarkus.datasource.db-kind=h2, quarkus.hibernate-orm.log.sql=false, quarkus.datasource.jdbc.url=jdbc:h2:mem:test, quarkus.log.console.enable=true, quarkus.http.port=8080}
To verify a failed decryption, run the following from repository root whilst intentionally specifying a wrong JASYPT_PASSWORD
:
mvn clean install
(cd microprofile-config-jasypt-quarkus-example && JASYPT_PASSWORD=wrong-pwd java -jar target/*-runner.jar)
...and observe the log contains encrypted passwords:
2020-05-24 11:53:19,318 INFO [com.git.chr.con.mic.jas.qua.LogPropertiesBean] (main) ConfigSource(name=jasypt-config, ordinal=275):
{quarkus.datasource.password=ENC(MCK/0Y9BnM7WVAyNq4gxjcPpGkDvu379ymjnsN2GCtowKxiPJXFHiSK7jI4rYfop), quarkus.log.console.color=true, quarkus.datasource.username=sa, quarkus.log.console.level=TRACE, quarkus.flyway.migrate-at-start=true, quarkus.hibernate-orm.database.generation=validate, config.password=ENC(MCK/0Y9BnM7WVAyNq4gxjcPpGkDvu379ymjnsN2GCtowKxiPJXFHiSK7jI4rYfop), quarkus.datasource.db-kind=h2, quarkus.hibernate-orm.log.sql=false, quarkus.datasource.jdbc.url=jdbc:h2:mem:test, quarkus.log.console.enable=true, quarkus.http.port=8080}