My (*) approach actually does work, at least on JBoss 7.02, although I do configure it through standalone.xml rather than with annotations. Here's the relevant parts on standalone.xhtml. (I've obfuscated a bit, but hopefully haven't changed the meaning.)
<datasource jndi-name="java:jboss/jdbc/MyDataSourceDS" pool-name="MyPool" enabled="true" jta="true" use-java-context="false" use-ccm="true">
<security-domain name="my-domain-ds" cache-type="default">
<login-module code="SecureIdentity" flag="required">
<module-option name="username" value="jboss"/>
<module-option name="password" value="-338d795ddfc81956fa143bd954f57903"/>
The value of for password is what I got back from the picketbox call.
Basically, I don't understand the vault. You get a masked password that gets you into vault.keystore, and an encrypted password that lets you get to the specific entry? Is that more secure than just decrypting the encrypted password like JBoss has always done?
Oh, and as long as I've got your ear, please does anyone know how to encrypt or mask the password into the keystore holding the site certificate for enabling SSL/https? I'm begging here. I'm on the verge of telling the customer that JBoss 7 cannot fulfill this requirement, which would necessitate porting back to an earlier version.
(*) Not really "my" approach. I pieced it together from official documentation and the forums.
I am also attempting to get password encryption working and use the security-domain inside of the datasource configuration method (which I have been using since 4.0.5) with the exception that I do not use the SecurityIdentity login module because of its hard-coded key, instead I wrote my own login module that generates the key on first use (at least you have to have access to the key file on the file system to decrypt the password as opposed to just the encrypted password). For encrypting the keystore password for https, I have always used: https://community.jboss.org/wiki/EncryptKeystorePasswordInTomcatConnector, however I haven't yet found how to really port this to the new JBoss AS 7 architecture. It would be great if this vault would also work for the keystore password and if you could supply your own implementation for the vault (i.e. the problem with the SecurityIdentity login module is that it uses a hard coded key).
@Gregory Charles: I need the exact same solution! Did you find something that worked? I've been testing the old _OBFUSCATED properties option but that doesn't seem to be implemented in JBoss 7. ([#JBAS-8353] PATCH: Support obfuscated System Properties - JBoss Issue Tracker) I can't compile the latest community version and can't switch to JBoss 6 enterprise to get the working version of Vault.
What did you come up with?