Posted on by Joshua Outwater

Encryption

First and foremost, I am not an encryption expert. I’ll tell you right off the bat that the solution provided before is not the best to use in a production environment. This is because the encryption password is stored in the application.properties file. If someone gets access to the box and they can read the file, they can decrypt our data. In a future tutorial we will go over other alternatives that will help mitigate this.

Until that time, we are going to focus on learning how to use some of Spring’s support for encryption, specifically the Encryptors class. This class provides a factory for creating encryptors for us that we can use to protect our user’s data. There are two in particular that we are going to focus on, the text encryptor and queryable text encryptor.

The text encryptor we will use to encrypt data that we don’t need to query on. This is because this encryptor will produce a unique encrypted string from the same input for each call. For data that we need to query against we will use a queryable text encryptor which produces the same result for the same input. Here’s an example of each encryptor producing the output for the string “Test Data” when called twice.

TextEncryptor: 

Output #1: 18a6faebfcfebd7e408fa8adfd767735419369351e32397ff894d28767261f81
Output #2: 97141b26bd250350514199fe91afe27ff1ae2316e7eb30845c54b158eecd5e3a

Queryable Text Encryptor

Output #1: dad75835fd6bfdd1446510afb16ff015
Output #2: dad75835fd6bfdd1446510afb16ff015

Adding these to our application is easy by creating named beans for them

@Bean(name = "queryableTextEncryptor")
public TextEncryptor queryableTextEncryptor() {
    return Encryptors.queryableText(password, salt);
}

@Bean(name = "textEncryptor")
public TextEncryptor textEncryptor() {
    return Encryptors.text(password, salt);
}

Next, we need to figure out when we want to encrypt/decrypt our data. One way to do this is by using an AttributeConverter. Attribute converters define an interface that support converting an entity attribute to and from its database representation. By creating custom attribute converters that use our encryptors we can then annotate the attributes we want to encrypt in our entity classes. For example, we want to encrypt the user name we store for each individual. Since we will need to search on that field we’ll use the queryable text encryptor.

@Column
@Convert(converter = QueryableTextEncryptorConverter.class)
private String username;

For more in depth code on how to setup the encryptors, take a look at the demo project on GitHub https://github.com/joutwate/99milestoempty.

Also, if you are looking for hosting please consider Dreamhost. If you’d like to sign up with them and feel inclined to throw me some credit, please use my referral link https://www.dreamhost.com/r.cgi?571777.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.