Skip to main content

Configuration reference

All properties use the prefix jeap.crypto. The KMS-specific properties live under jeap.crypto.vault.* (HashiCorp Vault) or jeap.crypto.awskms.* (AWS KMS). Durations accept ISO-8601 (PT1H) or a value with a unit (1h, 30m).

For data-key caching, escrow encryption and metrics see Key management.

Common

PropertyMandatoryDefaultDescription
jeap.crypto.disabledForTestEnvNofalseDisable the crypto engine. encrypt/decrypt then return the input unchanged. Rejected for the abn/prod profiles

Vault (jeap.crypto.vault)

PropertyMandatoryDefaultDescription
default-secret-engine-pathNotransit/${jeap.vault.system-name}Path of the Vault Transit secrets engine used to generate data keys
default-encryption-key-cache-expiry-durationNo1hHow long data keys are reused for encryption
default-decryption-key-cache-expiry-durationNo6hHow long data keys are cached for decryption
encryption-key-max-cache-sizeNo100Max number of encryption data keys cached. 0 disables the encryption cache
decryption-key-max-cache-sizeNo50000Max number of decryption data keys cached. 0 disables the decryption cache
keys.<keyName>YesLogical name of a wrapping key. The CryptoService bean name is <keyName>CryptoService
keys.<keyName>.key-nameYesName of the wrapping key in the Vault Transit secrets engine
keys.<keyName>.secret-engine-pathNodefault-secret-engine-pathOverride the secret-engine path for this wrapping key
keys.<keyName>.encryption-cache-expiry-durationNothe default-... valueOverride the encryption cache duration for this key. 0 disables caching
keys.<keyName>.decryption-cache-expiry-durationNothe default-... valueOverride the decryption cache duration for this key. 0 disables caching
jeap:
vault:
system-name: "testapp"
crypto:
vault:
keys:
myDb:
key-name: "testapp-my-database-key"
encryption-cache-expiry-duration: 2h
decryption-cache-expiry-duration: 12h
myObjectStore:
secret-engine-path: "otherapp/transit"
key-name: "otherapp-my-objectstore-key"

AWS KMS (jeap.crypto.awskms)

PropertyMandatoryDefaultDescription
regionYes*env var AWS_REGIONAWS region for KMS. Required if AWS_REGION is not set
endpointNoOverride the KMS endpoint URI (e.g. for LocalStack)
default-escrow-key.key-typeNoRSA_4096Escrow key type: RSA_4096 or NONE
default-escrow-key.public-keyYes*X.509 PEM public key of the escrow key. Not required if the escrow key-type is NONE
default-encryption-key-cache-expiry-durationNo1hHow long data keys are reused for encryption
default-decryption-key-cache-expiry-durationNo6hHow long data keys are cached for decryption
encryption-key-max-cache-sizeNo100Max number of encryption data keys cached. 0 disables the encryption cache
decryption-key-max-cache-sizeNo50000Max number of decryption data keys cached. 0 disables the decryption cache
keys.<keyName>YesLogical name of a wrapping key. The CryptoService bean name is <keyName>CryptoService
keys.<keyName>.key-arnYesAWS KMS key ARN, alias, alias ARN or key id
keys.<keyName>.encryption-cache-expiry-durationNothe default-... valueOverride the encryption cache duration for this key. 0 disables caching
keys.<keyName>.decryption-cache-expiry-durationNothe default-... valueOverride the decryption cache duration for this key. 0 disables caching
keys.<keyName>.escrow-key.key-typeNodefault-escrow-keyEscrow key type for this key, if deviating from the default
keys.<keyName>.escrow-key.public-keyNodefault-escrow-keyEscrow public key for this key, if deviating from the default

* By default a default escrow key must be configured for AWS KMS unless key-type is NONE or encryption is disabled — see Key management.

jeap:
crypto:
awskms:
region: eu-central-2
default-escrow-key:
key-type: RSA_4096
public-key: |
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqh...==
-----END PUBLIC KEY-----
keys:
myDb:
key-arn: "${test-key-arn}"
encryption-cache-expiry-duration: 2h
decryption-cache-expiry-duration: 12h
myObjectStore:
key-arn: "${test-key-arn}"

Database columns (jeap.crypto.db)

PropertyMandatoryDefaultDescription
jeap.crypto.db.key-idYes*Logical key id used by JeapCryptoStringConverter. *Required only when the converter is used

See Encrypted database columns.