| The configuration of Jasypt in Camel Quarkus is driven by <<extensions-jasypt-additional-camel-quarkus-configuration,configuration properties>>. |
| |
| The minimum expectation is that you provide a master password for Jasypt decryption with configuration property `quarkus.camel.jasypt.password`. |
| |
| You can choose the encryption algorithm and other aspects of the Jasypt configuration via the `quarkus.camel.jasypt` options described below. |
| |
| By default, you do not need to write custom code to configure the Camel `JasyptPropertiesParser` or `PropertiesComponent`. This is done for you automatically. |
| |
| Any Camel configuration property added to `application.properties` can be secured with Jasypt. |
| To encrypt a value, there is a utility that can be run with https://www.jbang.dev/[JBang]. |
| |
| [source] |
| ---- |
| jbang org.apache.camel:camel-jasypt:{camel-version} -c encrypt -p secret-password -i "Some secret content" |
| ---- |
| |
| IMPORTANT: If you choose to use a different Jasypt algorithm to the default (`PBEWithMD5AndDES`), you must provide `-a` (algorithm), `-riga` (IV generator algorithm) & `-rsga` (Salt generator algorithm) |
| arguments to set the correct algorithms used in encryption. Else your application will not be able to decrypt configuration values. |
| |
| Alternatively, when running in dev mode, open the https://quarkus.io/guides/dev-mode-differences#dev-ui[Dev UI] and click the 'utilities' link in the Camel Jasypt pane. |
| Next, select either the 'Decrypt' or 'Encrypt' action, enter some text and click the submit button. The result of the action is output together with a button to copy it to the clipboard. |
| |
| Configuration properties can be added to `application.properties` with the encrypted value enclosed within `ENC()` For example. |
| |
| [source] |
| ---- |
| my.secret = ENC(BoDSRQfdBME4V/AcugPOkaR+IcyKufGz) |
| ---- |
| |
| In your Camel routes, you can refer to the property name using the standard placeholder syntax and its value will get decrypted. |
| |
| [source,java] |
| ---- |
| public class MySecureRoute extends RouteBuilder { |
| @Override |
| public void configure() { |
| from("timer:tick?period=5s") |
| .to("{{my.secret}}"); |
| } |
| } |
| ---- |
| |
| TIP: You can use the ability to mask security sensitive configuration in Camel by suffixing property values with `.secret`. |
| You can also disable the startup configuration summary with the configuration `camel.main.autoConfigurationLogSummary = false`. |
| |
| === Injecting encrypted configuration |
| |
| You can use the `@ConfigProperty` annotation to inject encrypted configuration into your Camel routes or CDI beans. |
| |
| [source,java] |
| ---- |
| @ApplicationScoped |
| public class MySecureRoute extends RouteBuilder { |
| @ConfigInject("my.secret") |
| String mySecret; |
| |
| @Override |
| public void configure() { |
| from("timer:tick?period=5s") |
| .to(mySecret); |
| } |
| } |
| ---- |
| |
| ==== Securing alternate configuration sources |
| |
| If you prefer to keep your secret configuration in a file separate to `application.properties`, |
| you can use the `quarkus.config.locations` configuration option to specify additional configuration files. |
| |
| In native mode you must also add any additional configuration file resource paths to `quarkus.native.resources.includes`. |
| |
| ==== Finer control of Jasypt configuration |
| |
| If you require finer control of the Jasypt configuration than that provided by the default configuration, the following options are available. |
| |
| ===== JasyptConfigurationCustomizer |
| |
| Implement a `JasyptConfigurationCustomizer` class to customize any aspect of the Jasypt `EnvironmentStringPBEConfig`. |
| |
| [source,java] |
| ---- |
| package org.acme; |
| |
| import org.apache.camel.quarkus.component.jasypt.JasyptConfigurationCustomizer; |
| import org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig; |
| import org.jasypt.iv.RandomIvGenerator; |
| import org.jasypt.salt.RandomSaltGenerator; |
| |
| public class JasyptConfigurationCustomizer implements JasyptConfigurationCustomizer { |
| public void customize(EnvironmentStringPBEConfig config) { |
| // Custom algorithms |
| config.setAlgorithm("PBEWithHmacSHA256AndAES_256"); |
| config.setSaltGenerator(new RandomSaltGenerator("PKCS11")); |
| config.setIvGenerator(new RandomIvGenerator("PKCS11")); |
| // Additional customizations... |
| } |
| } |
| ---- |
| |
| In `application.properties` add the `quarkus.camel.jasypt.configuration-customizer-class-name` configuration property. |
| |
| [source] |
| ---- |
| quarkus.camel.jasypt.configuration-customizer-class-name = org.acme.MyJasyptEncryptorCustomizer |
| ---- |
| |
| ===== Disabling automatic Jasypt configuration |
| |
| If you prefer to use the 'classic' Java DSL way of configuring Camel Jasypt, you can disable the automatic configuration with `quarkus.camel.jasypt.enabled = false`. |
| |
| This allows you to configure the Camel `JasyptPropertiesParser` and `PropertiesComponent` manually. |
| |
| NOTE: In this mode, you cannot use the `@ConfigProperty` annotation to inject encrypted configuration properties. |
| |
| [source,java] |
| ---- |
| import org.apache.camel.CamelContext; |
| import org.apache.camel.component.jasypt.JasyptPropertiesParser; |
| import org.apache.camel.component.properties.PropertiesComponent; |
| |
| public class MySecureRoute extends RouteBuilder { |
| @Override |
| public void configure() { |
| JasyptPropertiesParser jasypt = new JasyptPropertiesParser(); |
| jasypt.setPassword("secret"); |
| |
| PropertiesComponent component = (PropertiesComponent) getContext().getPropertiesComponent(); |
| jasypt.setPropertiesComponent(component); |
| component.setPropertiesParser(jasypt); |
| |
| from("timer:tick?period=5s") |
| .to("{{my.secret}}"); |
| } |
| } |
| ---- |
| |
| NOTE: If you call `setLocation(...)` on the `PropertiesComponent` to specify a custom configuration file location using the `classpath:` prefix, |
| you must add the file to `quarkus.native.resources.includes` so that it can be loaded in native mode. |
