microprofile-config-jasypt

Encrypted properties for Quarkus and Eclipse Microprofile Config.

Eclipse MicroProfile Config with Jasypt Encryption

An Eclipse Microprofile Config library for Jasypt-encrypted properties. This means you can use secrets in publicly accessible property files and decrypt them transparently at runtime.

For an example on how to use this library with Quarkus see below.
This repo requires at least Java 8 and is automatically tested on OpenJDK 11.

Encryption

First, encrypt a property. For example, either of the following two commands encrypts a property foo using a password pwd:

./microprofile-config-jasypt/encrypt.sh pwd foo
mvn -f microprofile-config-jasypt/pom.xml validate -Pencrypt -Djasypt.password=pwd -Dproperty=foo

This will print the encrypted property:

foo -> ENC(eu82k78q/boBye5P574UwNdafDuy9VRy19tdlmM9IeYXWkVIdChdZybEx41rRbdv)

Then use the entire ENC(...)-delimited string as your property value, e.g. in a src/main/resources/application.properties file.

The name of the property file is configurable, and it may be on the classpath or the filesystem. See the configuration section below for details.

Decryption

Add this to your pom.xml:

<dependency>
    <groupId>com.github.chrisgleissner.config</groupId>
    <artifactId>microprofile-config-jasypt</artifactId>
    <version>1.0.5</version>
</dependency>

Then add a file at src/main/resources/META-INF/services/org.eclipse.microprofile.config.spi.ConfigSource with the content

com.github.chrisgleissner.config.microprofile.jasypt.JasyptConfigSource

Finally set the JASYPT_PASSWORD environment variable when starting your application. As per the previous example, set JASYPT_PASSWORD=pwd.

Any ENC(...)-delimited property in a classpath:application.properties file (configurable) gets decoded at run-time.

Configuration

You can customize microprofile-config-jasypt via environment variables or system properties as per the following table.

Alternatively, you can subclass com.github.chrisgleissner.config.microprofile.jasypt.JasyptConfigSource, override its methods, and specify the fully qualified name of your subclass in a META-INF/services/org.eclipse.microprofile.config.spi.ConfigSource file on the classpath.

Environment variable	System property name	Default value	Description
`JASYPT_PASSWORD`	`jasypt.password`	none	Password used for encrypting property values
`JASYPT_KEY`	`jasypt.key`	none	Synonym for `JASYPT_PASSWORD`
`JASYPT_ALGORITHM`	`jasypt.algorithm`	`PBEWithHMACSHA512AndAES_256`	Encryption algorithm
`JASYPT_ITERATIONS`	`jasypt.iterations`	1000	Jasypt key obtention iterations
`JASYPT_PROPERTIES`	`jasypt.properties`	`classpath:application.properties,config/application.properties`	Comma-separated property filenames, see below.

Property filenames specified via JASYPT_PROPERTIES are resolved against the classpath if using the classpath: prefix, otherwise against the filesystem relative to the current working directory.

Encrypted Properties in Quarkus

Two Quarkus-based examples are included.

The microprofile-config-jasypt-quarkus-example module shows how to configure the default JasyptConfigSource as per the instructions above:

Encrypted properties can be used both for normal and for profile-specific properties, eg. properties with the %prod. prefix.
For demonstration purposes only, the LogPropertiesBean in this module logs all properties on startup.

The microprofile-config-jasypt-quarkus-override-example module expands on this and shows how to override the default JasyptConfigSource with a CustomJasyptConfigSource.

Decryption Example

To verify successful decryption, run the following from the repository root:

mvn clean install
(cd microprofile-config-jasypt-quarkus-example && JASYPT_PASSWORD=pwd java -jar target/*-runner.jar)

...and observe the log contains decrypted passwords:

2020-05-24 11:52:53,598 INFO  [com.git.chr.con.mic.jas.qua.LogPropertiesBean] (main) ConfigSource(name=jasypt-config, ordinal=275):
{quarkus.datasource.password=sa, quarkus.log.console.color=true, quarkus.datasource.username=sa, quarkus.log.console.level=TRACE, quarkus.flyway.migrate-at-start=true, quarkus.hibernate-orm.database.generation=validate, config.password=sa, quarkus.datasource.db-kind=h2, quarkus.hibernate-orm.log.sql=false, quarkus.datasource.jdbc.url=jdbc:h2:mem:test, quarkus.log.console.enable=true, quarkus.http.port=8080}

Failed Decryption Example

To verify a failed decryption, run the following from repository root whilst intentionally specifying a wrong JASYPT_PASSWORD:

mvn clean install
(cd microprofile-config-jasypt-quarkus-example && JASYPT_PASSWORD=wrong-pwd java -jar target/*-runner.jar)

...and observe the log contains encrypted passwords:

2020-05-24 11:53:19,318 INFO  [com.git.chr.con.mic.jas.qua.LogPropertiesBean] (main) ConfigSource(name=jasypt-config, ordinal=275):
{quarkus.datasource.password=ENC(MCK/0Y9BnM7WVAyNq4gxjcPpGkDvu379ymjnsN2GCtowKxiPJXFHiSK7jI4rYfop), quarkus.log.console.color=true, quarkus.datasource.username=sa, quarkus.log.console.level=TRACE, quarkus.flyway.migrate-at-start=true, quarkus.hibernate-orm.database.generation=validate, config.password=ENC(MCK/0Y9BnM7WVAyNq4gxjcPpGkDvu379ymjnsN2GCtowKxiPJXFHiSK7jI4rYfop), quarkus.datasource.db-kind=h2, quarkus.hibernate-orm.log.sql=false, quarkus.datasource.jdbc.url=jdbc:h2:mem:test, quarkus.log.console.enable=true, quarkus.http.port=8080}

chrisgleissner / microprofile-config-jasypt