Encryption of a single property

Learn how you can encrypt a single sensitive property stored in the efm.properties file.

To encrypt a property, you should use the Jasypt CLI which you can download from here: http://www.jasypt.org/cli.html

Once you download the CLI, a single property can be encrypted by using the following command:

./encrypt.sh input=propertyValueToEncrypt password=secretKey \
algorithm=PBEWITHHMACSHA512ANDAES_256 \
ivGeneratorClassName=org.jasypt.iv.RandomIvGenerator
Please note that you need to specify the above algorithm and the ivGeneratorClassName values, because these are the default ones in Edge Flow Manager (EFM). If you do not specify them, the Jasypt CLI uses its defaults which is incompatible with EFM. If you still want to use them or if you want to choose a different algorithm, you need to specify them for EFM with these properties in the efm.properties file:
efm.property.encryptor.algorithm=
efm.property.encryptor.ivGeneratorClassName=
To list available algorithms you can run the following command:
./listAlgorithms.sh

Please note that this command does not list any argument from non-default JCE providers like Bouncy Castle unless you have registered such providers at the JVM. For more info visit http://www.jasypt.org/non-default-providers.html.

You can use this approach to encrypt multiple properties, but you should use the same password for each as you can provide only one password when starting up EFM.

With some Java 8 versions, the Jasypt CLI throws java.lang.ExceptionInInitializerError error. To fix this issue you need to update the icu4j library used by Jasypt. This means you need to update the <jasypt-root>/lib/icu4j-3.4.4.jar file (if you are using Jasypt 1.9.3) with a newer version that you can download from here: https://github.com/unicode-org/icu/releases/download/release-68-2/icu4j-68_2.jar.

Once you acquire the encrypted value, you need to wrap it in ENC(...) to let EFM know that it should treat the property as an encrypted value. For example,
efm.server.ssl.keyStorePassword=ENC(e2cpfr5CA+xyS8uU2BNXltKoR/hCBJeJlBxMAO2lNgt1snFOGza6uUCJCZGGNl5Q)