Skip to main content

jEAP Crypto

jEAP Crypto is a library that provides client-side encryption for data at-rest in Spring Boot applications, and is part of the jEAP project. It performs the actual encryption in the application (client-side) and uses a Key Management Service (KMS) only to wrap/unwrap short-lived data keys, so the wrapping key never leaves the KMS. Encryption is based on AES-256-GCM. The library is independent of the persistence technology and provides:

  • CryptoService, KeyReferenceCryptoService and KeyIdCryptoService APIs to encrypt/decrypt byte arrays
  • A self-describing binary container format that stores the encrypted data key together with the ciphertext
  • KMS backends for HashiCorp Vault (Transit secrets engine) and AWS KMS, wired up via Spring Boot starters
  • Data-key caching (per wrapping key) to reduce KMS round-trips, with Micrometer metrics
  • Escrow encryption of data keys (AWS KMS) for disaster recovery without the KMS
  • Ready-made helpers for encrypted database columns (JPA AttributeConverter) and S3 objects

Documentation

Start with Getting started, then follow the links below.

TopicFile
Getting started (add the starter, encrypt & decrypt)docs/getting-started.md
Architecture & encryption flowdocs/architecture.md
Configuration reference (jeap.crypto.*)docs/configuration.md
Crypto APIs (CryptoService / KeyId / KeyReference)docs/crypto-api.md
Key management (Vault & AWS KMS, escrow, caching, metrics)docs/key-management.md
Encrypted database columnsdocs/database-columns.md
S3 object storagedocs/s3-object-storage.md
Binary container formatdocs/data-format.md

Modules

The group id for all modules is ch.admin.bit.jeap; the version is managed by the jEAP Spring Boot parent. A consuming service depends on one of the starters (plus optional helper modules).

ModulePurpose
jeap-crypto-coreCrypto APIs, AES-GCM engine, container format, escrow and key-management abstractions
jeap-crypto-vaultHashiCorp Vault Transit key-management implementation
jeap-crypto-aws-kmsAWS KMS key-management implementation (incl. escrow encryption)
jeap-crypto-springCommon Spring Boot auto-configuration, bean registration and metrics
jeap-crypto-vault-starterSpring Boot starter wiring jEAP Crypto with Vault
jeap-crypto-aws-kms-starterSpring Boot starter wiring jEAP Crypto with AWS KMS
jeap-crypto-dbJPA AttributeConverter for transparently encrypting database columns
jeap-crypto-s3JeapCryptoS3Template for encrypting/decrypting S3 objects