This closes #4254

artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java

@@ -28,6 +28,7 @@ import java.security.spec.InvalidKeySpecException;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Properties;
@@ -146,6 +147,14 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec<String> {
                logger.trace("Set key from system property {}", KEY_SYSTEM_PROPERTY);
                updateKey(key);
             }
+            if (key == null) {
+               final String matchingEnvVarName = envVarNameFromSystemPropertyName(KEY_SYSTEM_PROPERTY);
+               key = getFromEnv(matchingEnvVarName);
+               if (key != null) {
+                  logger.trace("Set key from env var {}", matchingEnvVarName);
+                  updateKey(key);
+               }
+            }
          }
       }
 
@@ -205,6 +214,14 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec<String> {
       }
    }
 
+   protected String getFromEnv(final String envVarName) {
+      return System.getenv(envVarName);
+   }
+
+   public static String envVarNameFromSystemPropertyName(final String systemPropertyName) {
+      return systemPropertyName.replace(".","_").toUpperCase(Locale.getDefault());
+   }
+
    private static class PBKDF2Algorithm extends CodecAlgorithm {
       private static final String SEPARATOR = ":";
       private String sceretKeyAlgorithm = "PBKDF2WithHmacSHA1";

artemis-commons/src/test/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodecTest.java

@@ -26,6 +26,7 @@ import java.util.Map;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
 
@@ -76,6 +77,24 @@ public class DefaultSensitiveStringCodecTest {
       assertFalse(codec.verify(otherPassword.toCharArray(), maskedText));
    }
 
+   @Test
+   public void testInitFromEnvVar() throws Exception {
+      final String someString = "bla";
+      DefaultSensitiveStringCodec codecFromEnvVarConfig = new DefaultSensitiveStringCodec() {
+         @Override
+         public String getFromEnv(String v) {
+            if (v.contains("_") && !v.contains(".")) {
+               return someString;
+            }
+            return null;
+         }
+      };
+      Map<String, String> params = new HashMap<>();
+      codecFromEnvVarConfig.init(params);
+      String blaVersion = codecFromEnvVarConfig.encode(someString);
+      assertNotEquals(blaVersion,  getDefaultSensitiveStringCodec(DefaultSensitiveStringCodec.TWO_WAY).encode(someString));
+   }
+
    @Test
    public void testCompareWithOnewayAlgorithm() throws Exception {
       testCompareWithAlgorithm(DefaultSensitiveStringCodec.ONE_WAY);

docs/user-manual/en/masking-passwords.md

@@ -413,6 +413,10 @@ that key to unmask the password(s). Therefore, it is possible to supply your
     that the key is more obscure since it will not exist in any configuration
     file. It can be set immediately *before* the broker starts and then cleared
     from the environment immediately *after* the broker finishes starting.
+ 3. If expansion of the `ARTEMIS_DEFAULT_SENSITIVE_STRING_CODEC_KEY` environment
+    variable to set the system property is a concern, modify the startup scripts
+    to remove the system property assignment, the environment variable will then
+    be read directly.
 
 ### Using a custom codec