Add config encryption example

examples/config/encryption/README.md

@@ -0,0 +1,78 @@
+# Storing Encrypted Values in Helidon Config
+
+This example uses the `helidon-config-encryption` module to encrypt
+a value so that it can be stored and retrieved from `application.yaml`.
+It uses AES/GCM symmetric key encryption.
+
+## Build and Run 
+
+```bash
+mvn clean package
+java -jar target/helidon-examples-config-encryption.jar
+```
+
+The application prints:
+
+```
+SECRET!!! secret-key=secret-value
+```
+
+But the value is just clear text in the config file. How do we encrypt it?
+
+## Encrypt value using AES/GCM
+
+We encrypt the value using Helidon's encryption tooling.
+We use AES/GCM symmetric encryption with the private key
+(aka master password) `changeit`.
+
+```base
+java -jar target/libs/helidon-config-encryption-*.jar aes changeit secret-value
+```
+**Note**: for Helidon 4.2.1-4.2.6 you need to provide the classpath when running the command:
+`java -cp "target/libs/*" io.helidon.config.encryption.Main aes changeit secret-value`
+
+This will produce an encrypted value suitable for putting in a Helidon configuration file.
+It will look something like:
+
+```
+${GCM=PAFWz...txS74=}
+```
+
+(the three dots above represent a lengthy string of random characters -- not literally three dots)
+
+Now edit `src/main/resources/application.yaml` and replace `secret-value` with the encrypted value.
+It will look something like this:
+
+```
+secret-key: "${GCM=PAFWz...txS74=}"
+```
+
+Now build and re-run your application. You will see the encrypted value returned
+from Helidon Config because we have not provided the key to decrypt the value:
+
+```
+SECRET!!! secret-key=${GCM=PAF5IWz...txS74=}
+```
+
+
+## Passing the private key to your Helidon application
+
+In this example we are going to pass the private key (master password) to the application using the special environment variable `SECURE_CONFIG_AES_MASTER_PWD`:
+
+```bash
+SECURE_CONFIG_AES_MASTER_PWD=changeit java -jar target/helidon-examples-config-encryption.jar
+```
+
+So now you see the decrypted value:
+
+```
+SECRET!!! secret-key=secret-value
+```
+
+## What is happening
+
+The `helidon-config-encryption` module provides config encryption support. When it is added to your
+project as a dependency it registers a `ConfigFilter` that understands how to decrypt
+encrypted values. This happens automatically when you retrieve the value of an encrypted configuration property.
+The [EncryptionFilter](https://helidon.io/docs/latest/apidocs/io.helidon.config.encryption/io/helidon/config/encryption/EncryptionFilter.html) 
+knows to check the environment variable for the private key.

examples/config/encryption/pom.xml

@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright (c) 2025 Oracle and/or its affiliates.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>io.helidon.applications</groupId>
+        <artifactId>helidon-se</artifactId>
+        <version>4.3.0-SNAPSHOT</version>
+        <relativePath/>
+    </parent>
+    <groupId>io.helidon.examples.config</groupId>
+    <artifactId>helidon-examples-config-encryption</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <mainClass>io.helidon.examples.config.Main</mainClass>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.helidon.config</groupId>
+            <artifactId>helidon-config</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.config</groupId>
+            <artifactId>helidon-config-yaml</artifactId>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.helidon.config</groupId>
+            <artifactId>helidon-config-encryption</artifactId>
+            <scope>runtime</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>copy-libs</id>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>

examples/config/encryption/src/main/java/io/helidon/examples/config/Main.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2025 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.helidon.examples.config;
+
+import io.helidon.config.Config;
+
+/**
+ * The application main class.
+ */
+public class Main {
+
+    /**
+     * Cannot be instantiated.
+     */
+    private Main() {
+    }
+
+    /**
+     * Application main entry point.
+     * @param args command line arguments.
+     */
+    public static void main(String[] args) {
+        // initialize config from default configuration
+        Config config = Config.global();
+
+        System.out.println("SECURE_CONFIG_AES_MASTER_PWD=" + System.getenv("SECURE_CONFIG_AES_MASTER_PWD"));
+        System.out.println("SECRET!!! secret-key=" + config.get("secret-key").asString().get());
+    }
+}

examples/config/encryption/src/main/java/io/helidon/examples/config/package-info.java

@@ -0,0 +1,16 @@
+/*
+ * Copyright (c) 2025 Oracle and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.helidon.examples.config;

examples/config/encryption/src/main/resources/application.yaml

@@ -0,0 +1,17 @@
+#
+# Copyright (c) 2025 Oracle and/or its affiliates.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+secret-key: "secret-value"

examples/config/pom.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 
-    Copyright (c) 2017, 2024 Oracle and/or its affiliates.
+    Copyright (c) 2017, 2025 Oracle and/or its affiliates.
 
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
@@ -40,6 +40,7 @@
         <module>sources</module>
         <module>profiles</module>
         <module>metadata</module>
+        <module>encryption</module>
     </modules>
 
 </project>