The current Pax Web implementation for encrypting/decrypting configuration properties is problematic because it assumes a specific implementation of a Jasypt property encryptor. Besides the fact that this is an OSGi anti-pattern, it makes it difficult to modify the property encryption and decryption capabilities so they are more secure (e.g. implementing the Jasypt interface so that it offloads encryption and decryption to an HSM).
I would like to propose that rather than simply instantiating a new StandardPBEStringEncryptor, the ConfigurationImpl class should maintain a service tracker for any implementations of org.jasypt.encryption.StringEncryptor registered with the OSGi container. This is the way property encryption/decryption is implemented in Pax JDBC and I feel that it is an overall better approach.