Page History

...

• The application decrypts properties at startup. If decryption fails, the application will not start. Usual causes are that no password is configured or that the encryption password was not the password that the property was encrypted with.
• Contrary to the old mechanism, any property can be encrypted.

Document Renderer Service

The Document Renderer Service has the same mechanism for encrypting any property value.

The best practice for configuring the password is to set it as an environment variable like this:

BLUERIQ__PROPERTIES__ENCRYPTION__PASSWORD=190f704dcab801253434864b03d498be04e7cb7407063eb5df41101e313ea32f

Or to pass it as a runtime argument on startup like this:

--blueriq:properties:encryption:password=190f704dcab801253434864b03d498be04e7cb7407063eb5df41101e313ea32f

Technically you can also set it normally as a property in the .yml file, but this is not recommended as it defeats the purpose of encrypting your properties when the password is there in the same file.

Encrypting passwords with the Blueriq Encryptor

...

The encryption uses the following parameters:

• AES encryption in CBC mode with PKCS#5 padding with 256 bit key.
• Key Derivation Function: PBKDF2 (Password-Based Encryption Key Derivation Function 2) with SHA-512 hashes and AES-256 encryption
• Random salt when encrypting the property
• A random input vector when encrypting the property
1000 hashing iterations
• hash function and 1000 iterations.
• Using a random 16 bit salt.
• Using a random 16 bit initialization vector.

The Document Renderer Service assumes this algorithm is used and currently supports no other means for encryption!

Customizing property encryption

...

jasypt.encryptor.bean = <name_of_the_custom_bean>

...