Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/chrisgleissner/microprofile-config-jasypt
Encrypted passwords for Eclipse MicroProfile Config using Jasypt
https://github.com/chrisgleissner/microprofile-config-jasypt
configuration encryption jasypt java java-11 java-8 microprofile-config password-safety properties quarkus quarkusio
Last synced: 19 days ago
JSON representation
Encrypted passwords for Eclipse MicroProfile Config using Jasypt
- Host: GitHub
- URL: https://github.com/chrisgleissner/microprofile-config-jasypt
- Owner: chrisgleissner
- Created: 2020-05-22T16:46:11.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2023-09-03T16:09:46.000Z (about 1 year ago)
- Last Synced: 2024-10-23T02:33:41.607Z (28 days ago)
- Topics: configuration, encryption, jasypt, java, java-11, java-8, microprofile-config, password-safety, properties, quarkus, quarkusio
- Language: Java
- Homepage:
- Size: 117 KB
- Stars: 2
- Watchers: 2
- Forks: 0
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# microprofile-config-jasypt
[](https://search.maven.org/artifact/com.github.chrisgleissner.config/microprofile-config-jasypt/)
[](https://travis-ci.com/chrisgleissner/config)
[](https://coveralls.io/github/chrisgleissner/config?branch=master)
[](https://codeclimate.com/github/chrisgleissner/config/maintainability)
Encrypted properties for [Quarkus](https://quarkus.io) and [Eclipse Microprofile Config](https://github.com/eclipse/microprofile-config).
## Eclipse MicroProfile Config with Jasypt Encryption
An [Eclipse Microprofile Config](https://github.com/eclipse/microprofile-config) library
for [Jasypt](http://www.jasypt.org)-encrypted properties. This means you can use secrets in publicly accessible
property files and decrypt them transparently at runtime.
* For an example on how to use this library with [Quarkus](https://quarkus.io) see below.
* This repo requires at least Java 8 and is automatically tested on OpenJDK 11.
### Encryption
First, encrypt a property. For example, either of the following two commands encrypts a property `foo` using a password `pwd`:
```
./microprofile-config-jasypt/encrypt.sh pwd foo
mvn -f microprofile-config-jasypt/pom.xml validate -Pencrypt -Djasypt.password=pwd -Dproperty=foo
```
This will print the encrypted property:
```
foo -> ENC(eu82k78q/boBye5P574UwNdafDuy9VRy19tdlmM9IeYXWkVIdChdZybEx41rRbdv)
```
Then use the entire `ENC(...)`-delimited string as your property value, e.g. in a `src/main/resources/application.properties`
file.
The name of the property file is configurable, and it may be on the classpath or the filesystem. See the configuration
section below for details.
### Decryption
Add this to your `pom.xml`:
```
com.github.chrisgleissner.config
microprofile-config-jasypt
1.0.5
```
Then add a file at `src/main/resources/META-INF/services/org.eclipse.microprofile.config.spi.ConfigSource` with the content
```
com.github.chrisgleissner.config.microprofile.jasypt.JasyptConfigSource
```
Finally set the `JASYPT_PASSWORD` environment variable when starting your application. As per the previous example, set `JASYPT_PASSWORD=pwd`.
Any `ENC(...)`-delimited property in a `classpath:application.properties` file (configurable) gets decoded at run-time.
### Configuration
You can customize `microprofile-config-jasypt` via environment variables or system properties as per the following table.
Alternatively, you can subclass [`com.github.chrisgleissner.config.microprofile.jasypt.JasyptConfigSource`](https://github.com/chrisgleissner/config/blob/master/microprofile-config-jasypt/src/main/java/com/github/chrisgleissner/config/microprofile/jasypt/JasyptConfigSource.java),
override its methods, and specify the fully qualified name of your subclass in a
`META-INF/services/org.eclipse.microprofile.config.spi.ConfigSource` file on the classpath.
| Environment variable | System property name | Default value | Description |
|----------------------|-----------------------|----------------|--------------|
| `JASYPT_PASSWORD` | `jasypt.password` | none | Password used for encrypting property values |
| `JASYPT_KEY` | `jasypt.key` | none | Synonym for `JASYPT_PASSWORD` |
| `JASYPT_ALGORITHM` | `jasypt.algorithm` | `PBEWithHMACSHA512AndAES_256` | [Encryption algorithm](http://www.jasypt.org/cli.html#Listing_algorithms) |
| `JASYPT_ITERATIONS` | `jasypt.iterations` | 1000 | Jasypt key obtention iterations |
| `JASYPT_PROPERTIES` | `jasypt.properties` | `classpath:application.properties,config/application.properties` | Comma-separated property filenames, see below. |
Property filenames specified via `JASYPT_PROPERTIES` are resolved against the classpath if using the `classpath:` prefix,
otherwise against the filesystem relative to the current working directory.
## Encrypted Properties in Quarkus
Two [Quarkus](https://quarkus.io)-based examples are included.
The [`microprofile-config-jasypt-quarkus-example`](https://github.com/chrisgleissner/microprofile-config-jasypt/tree/master/microprofile-config-jasypt-quarkus-example)
module shows how to configure the default `JasyptConfigSource` as per the instructions above:
* Encrypted properties can be used both for normal and for profile-specific properties, eg. properties with the `%prod.` prefix.
* For demonstration purposes only, the `LogPropertiesBean` in this module logs all properties on startup.
The [`microprofile-config-jasypt-quarkus-override-example`](https://github.com/chrisgleissner/microprofile-config-jasypt/tree/master/microprofile-config-jasypt-quarkus-override-example)
module expands on this and shows how to [override](https://github.com/chrisgleissner/microprofile-config-jasypt/blob/master/microprofile-config-jasypt-quarkus-override-example/src/main/resources/META-INF/services/org.eclipse.microprofile.config.spi.ConfigSource)
the default `JasyptConfigSource` with a [`CustomJasyptConfigSource`](https://github.com/chrisgleissner/microprofile-config-jasypt/blob/master/microprofile-config-jasypt-quarkus-override-example/src/main/java/com/github/chrisgleissner/config/microprofile/jasypt/quarkus/CustomJasyptConfigSource.java).
### Decryption Example
To verify successful decryption, run the following from the repository root:
```
mvn clean install
(cd microprofile-config-jasypt-quarkus-example && JASYPT_PASSWORD=pwd java -jar target/*-runner.jar)
```
...and observe the log contains decrypted passwords:
```
2020-05-24 11:52:53,598 INFO [com.git.chr.con.mic.jas.qua.LogPropertiesBean] (main) ConfigSource(name=jasypt-config, ordinal=275):
{quarkus.datasource.password=sa, quarkus.log.console.color=true, quarkus.datasource.username=sa, quarkus.log.console.level=TRACE, quarkus.flyway.migrate-at-start=true, quarkus.hibernate-orm.database.generation=validate, config.password=sa, quarkus.datasource.db-kind=h2, quarkus.hibernate-orm.log.sql=false, quarkus.datasource.jdbc.url=jdbc:h2:mem:test, quarkus.log.console.enable=true, quarkus.http.port=8080}
```
### Failed Decryption Example
To verify a failed decryption, run the following from repository root whilst intentionally specifying a wrong `JASYPT_PASSWORD`:
```
mvn clean install
(cd microprofile-config-jasypt-quarkus-example && JASYPT_PASSWORD=wrong-pwd java -jar target/*-runner.jar)
```
...and observe the log contains encrypted passwords:
```
2020-05-24 11:53:19,318 INFO [com.git.chr.con.mic.jas.qua.LogPropertiesBean] (main) ConfigSource(name=jasypt-config, ordinal=275):
{quarkus.datasource.password=ENC(MCK/0Y9BnM7WVAyNq4gxjcPpGkDvu379ymjnsN2GCtowKxiPJXFHiSK7jI4rYfop), quarkus.log.console.color=true, quarkus.datasource.username=sa, quarkus.log.console.level=TRACE, quarkus.flyway.migrate-at-start=true, quarkus.hibernate-orm.database.generation=validate, config.password=ENC(MCK/0Y9BnM7WVAyNq4gxjcPpGkDvu379ymjnsN2GCtowKxiPJXFHiSK7jI4rYfop), quarkus.datasource.db-kind=h2, quarkus.hibernate-orm.log.sql=false, quarkus.datasource.jdbc.url=jdbc:h2:mem:test, quarkus.log.console.enable=true, quarkus.http.port=8080}
```