After setting up jasypt-encryption with my Apache karaf 4.4.1 instance, I have been able to encrypt and retrieve data in my Blueprint XML files like so:

jasypt-encryptor.xml (Dropped it into my deploy folder)

<?xml version="1.0" encoding="UTF-8"?>
<blueprint ...

    <bean id="standardPBEStringEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
        <property name="config">
            <bean class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
                <property name="algorithm" value="PBEWithHmacSHA256AndAES_256"/>
                <property name="password" value="$[jasypt.master.password]"/>
                <property name="ivGenerator">
                    <bean class="org.jasypt.iv.RandomIvGenerator"/>
                </property>
            </bean>
        </property>
    </bean>

    <!-- Register the Encryptor Service -->
    <service ref="standardPBEStringEncryptor" interface="org.jasypt.encryption.StringEncryptor"/>

    <!-- Property Placeholder Configuration -->
    <ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]">
        <ext:location>file:etc/jasypt-mp.properties</ext:location>  
    </ext:property-placeholder>

</blueprint>

Which I can reference to decrypt my data in my Blueprint XML files:

ldap-module.xml (In my deploy folder as well):

<?xml version="1.0" encoding="UTF-8"?>
<blueprint ...

    <jaas:config name="karaf" rank="1">
      <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required">
            connection.url = ${connection.url}
            connection.username= ${ldap.user}
            connection.password= ${ldap.password}
          .....
          </jaas:module>
    </jaas:config>
  

    <cm:property-placeholder persistent-id="p_ldap"/>
    <cm:property-placeholder persistent-id="p_stores" placeholder-prefix="$|" placeholder-suffix="|"/>
    <ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/>
    <jaas:keystore name="ks" path="file:$[karaf.etc]/server/truststore.jks" keystorePassword="$|keystore.password|"/>

    <reference id="encryptorService" interface="org.jasypt.encryption.StringEncryptor"/>
    <enc:property-placeholder encryptor-ref="encryptorService"/>

</blueprint>

This retrieves my .cfg encrypted properties fine (ldap.password=”ENC(encrypted_password)”).

I have tried to do the same ENC(….) in my org.ops4j.pax.web.cfg file as well to decrypt my keystore and truststore passwords but it does not work. I expected this since I am not telling anywhere it should use my decryptor.

Looking over the Karaf documentation and other places, I did not manage to find information about a way to tackle this issue. I have the same concern with my org.ops4j.datasource-x.cfg files which register as datasources in my Apache Karaf instance.