I have a Java flight recording that I want to share. Unfortunately the Java flight recording contains usernames and passwords in system properties and environment variables (JMC correctly warns of this). Is there a way to remove all system properties and environment variables from the Java flight recording so that I can share it?

Scrub an existing recording

It's possible to scrub a recording file using the jfr tool that comes with JDK 19, or later:

$ jfr scrub --exclude-events
  jdk.InitialSystemProperty,jdk.InitialEnvironmentVariable
  recording.jfr

The tool should work on recordings from earlier JDK releases as well, perhaps back to JDK 11.

Verification

You can verify that it has been removed by using the print command:

Before:

$ jfr print --events
  jdk.InitialSystemProperty,jdk.InitialEnvironmentVariable
  recording.jfr
    
jdk.InitialSystemProperty {
  startTime = 11:03:27.197 (2022-10-19)
  key = "java.vm.compressedOopsMode"
  value = "Zero based"
}
  
jdk.InitialEnvironmentVariable {
  startTime = 11:03:27.197 (2022-10-19)
  key = "TERM_PROGRAM"
  value = "Apple_Terminal"
}
...

After:

$ jfr print --events
  jdk.InitialSystemProperty,jdk.InitialEnvironmentVariable
  scrubbed-recording.jfr

Disable events

It's also possible to turn the events off on command line in JDK 17:

$ java 
  -XX:StartFlightRecording:
  jdk.InitialEnvironmentVariable#enabled=false,
  jdk.InitialSystemProperty#enabled=false
  ...

For earlier release than JDK 17, it's possible to disable the events jdk.InitialEnvironmentVariable and jdk.InitialSystemProperty in JMC. Either in the GUI recording wizard, or by creating a custom .jfc file. Go to Window -> Template manager and then supply the custom .jfc on command line like this:

$ java -XX:StartFlightRecording=settings=/path/custom.jfc