Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 49. Jasypt
Since Camel 2.5
Jasypt is a simplified encryption library which makes encryption and decryption easy. Camel integrates with Jasypt to allow sensitive information in Properties files to be encrypted. By dropping camel-jasypt on the classpath those encrypted values will automatically be decrypted on-the-fly by Camel. This ensures that human eyes can’t easily spot sensitive information such as usernames and passwords.
49.1. Dependencies
When using camel-jasypt with Red Hat build of Camel Spring Boot, add the following Maven dependency to your pom.xml to have support for auto configuration:
<dependency>
<groupId>org.apache.camel.springboot</groupId>
<artifactId>camel-jasypt-starter</artifactId>
</dependency>
<dependency>
<groupId>org.apache.camel.springboot</groupId>
<artifactId>camel-jasypt-starter</artifactId>
</dependency>49.2. Tooling
The Jasypt component is a runnable JAR that provides a command line utility to encrypt or decrypt values. The usage documentation can be output to the console to describe the syntax and options it provides:
A simple way of running the tool is with JBang. For example, to encrypt the value tiger, you can use the following parameters. Make sure to specify the version of camel-jasypt that you want to use.
jbang org.apache.camel:camel-jasypt:<camel version here> -c encrypt -p secret -i tiger
$ jbang org.apache.camel:camel-jasypt:<camel version here> -c encrypt -p secret -i tigerWhich outputs the following result
Encrypted text: qaEEacuW7BUti8LcMgyjKw==
Encrypted text: qaEEacuW7BUti8LcMgyjKw==
This means the encrypted representation qaEEacuW7BUti8LcMgyjKw== can be decrypted back to tiger if you know the master password which was secret.
If you run the tool again then the encrypted value will return a different result. But decrypting the value will always return the correct original value.
You can test decrypting the value by running the tooling using the following parameters:
jbang org.apache.camel:camel-jasypt:<camel version here> -c decrypt -p secret -i qaEEacuW7BUti8LcMgyjKw==
$ jbang org.apache.camel:camel-jasypt:<camel version here> -c decrypt -p secret -i qaEEacuW7BUti8LcMgyjKw==Which outputs the following result:
Decrypted text: tiger
Decrypted text: tigerThe idea is then to use those encrypted values in your Properties files. For example,
Encrypted value for 'tiger'
# Encrypted value for 'tiger'
my.secret = ENC(qaEEacuW7BUti8LcMgyjKw==)49.3. Protecting the master password
The master password used by Jasypt must be provided, so that it’s capable of decrypting the values. However, having this master password out in the open may not be an ideal solution. Therefore, you could for example provide it as a JVM system property or as an OS environment setting. If you decide to do so then the password option supports prefixes that dictates this.
-
sysenv:means to lookup the OS system environment with the given key. -
sys:means to lookup a JVM system property.
For example, you could provide the password before you start the application
export CAMEL_ENCRYPTION_PASSWORD=secret
$ export CAMEL_ENCRYPTION_PASSWORD=secretThen start the application, such as running the start script.
When the application is up and running you can unset the environment
unset CAMEL_ENCRYPTION_PASSWORD
$ unset CAMEL_ENCRYPTION_PASSWORD
On runtimes like Spring Boot and Quarkus, you can configure a password property in the application.properties file as follows.
password=sysenv:CAMEL_ENCRYPTION_PASSWORD
password=sysenv:CAMEL_ENCRYPTION_PASSWORD
Or if configuring JasyptPropertiesParser manually, you can set the password like this.
jasyptPropertiesParser.setPassword("sysenv:CAMEL_ENCRYPTION_PASSWORD");
jasyptPropertiesParser.setPassword("sysenv:CAMEL_ENCRYPTION_PASSWORD");49.4. Example with Java DSL
On the Spring Boot and Quarkus runtimes, Camel Jasypt can be configured via configuration properties. Refer to their respective documentation pages for more information.
In Java DSL you need to configure Jasypt as a JasyptPropertiesParser instance and set the properties in the Properties component as shown below:
It is possible to configure custom algorithms on the JasyptPropertiesParser like this.
JasyptPropertiesParser jasyptPropertiesParser = new JasyptPropertiesParser();
jasyptPropertiesParser.setAlgorithm("PBEWithHmacSHA256AndAES_256");
jasyptPropertiesParser.setRandomSaltGeneratorAlgorithm("PKCS11");
jasyptPropertiesParser.setRandomIvGeneratorAlgorithm("PKCS11");
JasyptPropertiesParser jasyptPropertiesParser = new JasyptPropertiesParser();
jasyptPropertiesParser.setAlgorithm("PBEWithHmacSHA256AndAES_256");
jasyptPropertiesParser.setRandomSaltGeneratorAlgorithm("PKCS11");
jasyptPropertiesParser.setRandomIvGeneratorAlgorithm("PKCS11");
The properties file secret.properties will contain your encrypted configuration values, such as shown below. Notice how the password value is encrypted and is surrounded like ENC(value here).
my.secret.password=ENC(bsW9uV37gQ0QHFu7KO03Ww==)
my.secret.password=ENC(bsW9uV37gQ0QHFu7KO03Ww==)49.5. Example with Spring XML
In Spring XML you need to configure the JasyptPropertiesParser which is shown below. Then the Camel Properties component is told to use jasypt as the properties parser, which means Jasypt has its chance to decrypt values looked up in the properties.
The Properties component can also be inlined inside the <camelContext> tag which is shown below. Notice how we use the propertiesParserRef attribute to refer to Jasypt.
49.6. Spring Boot Auto-Configuration
The component supports 8 options, which are listed below.
| Name | Description | Default | Type |
|---|---|---|---|
| camel.component.jasypt.algorithm | The algorithm to be used for decryption. | PBEWithMD5AndDES | String |
| camel.component.jasypt.enabled | Enable the component. | false | Boolean |
| camel.component.jasypt.iv-generator-class-name | The initialization vector (IV) generator applied in decryption operations. Default: org.jasypt.iv. | String | |
| camel.component.jasypt.password | The master password used by Jasypt for decrypting the values. This option supports prefixes which influence the master password lookup behaviour: sysenv: means to lookup the OS system environment with the given key. sys: means to lookup a JVM system property. | String | |
| camel.component.jasypt.provider-name | The class name of the security provider to be used for obtaining the encryption algorithm. | String | |
| camel.component.jasypt.random-iv-generator-algorithm | The algorithm for the random iv generator. | SHA1PRNG | String |
| camel.component.jasypt.random-salt-generator-algorithm | The algorithm for the salt generator. | SHA1PRNG | String |
| camel.component.jasypt.salt-generator-class-name | The salt generator applied in decryption operations. Default: org.jasypt.salt.RandomSaltGenerator. | org.jasypt.salt.RandomSaltGenerator | String |
4.0// ParentAssemblies: assemblies/
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}