As of ActiveMQ 5.4.1 you can encrypt your passwords and safely store them in configuration files. To encrypt the password, you can use the newly added encrypt command like:
Where the password you want to encrypt is passed with the input argument, while the password argument is a secret used by the encryptor.
The next step is to add the password to the appropriate configuration file, $ACTIVEMQ_HOME/conf/credentials-enc.properties by default.
Note that we used ENC() to wrap our encrypted passwords. You can mix plain and encrypted passwords in your properties files, so encrypted ones must be wrapped this way.
Finally, you need to instruct your property loader to encrypt variables when it loads properties to the memory. Instead of standard property loader we'll use the special one (see \$ACTIVEMQ_HOME/conf/activemq-security.xml) to achieve this.
With this configuration ActiveMQ will try to load your encryptor password from the ACTIVEMQ_ENCRYPTION_PASSWORD environment variable and then use it to decrypt passwords from credential-enc.properties file.
Alternative is to use a simple variant and store encryptor password in the xml file, like this
but with that you'll lose the secrecy of the encryptor's secret. You may also consult http://www.jasypt.org/advancedconfiguration.html for more ideas on how to configure Jasypt.
Finally, we can use properties like we'd normally do
If you want to run the broker with this configuration, you need to do the following:
In this way your encryptor secret is never saved on your system and your encrypted passwords are safely stored in the configuration files.