Skip to main content

Encrypted database columns

The jeap-crypto-db module provides a JPA AttributeConverter that transparently encrypts and decrypts individual String entity attributes. The plaintext is encrypted to a jEAP crypto container and stored as a byte[] column; on read it is decrypted back to a String.

Dependency

<dependency>
<groupId>ch.admin.bit.jeap</groupId>
<artifactId>jeap-crypto-db</artifactId>
</dependency>

A KMS starter (jeap-crypto-vault-starter or jeap-crypto-aws-kms-starter) and at least one configured wrapping key are required, since the converter resolves a KeyIdCryptoService.

Configuration

Declare which logical key id the converter uses:

jeap:
crypto:
db:
key-id: myDb # a keys.<keyName> entry from the KMS configuration

JeapCryptoDbConfigProperties requires jeap.crypto.db.key-id to be set; the converter fails fast at startup if it is missing or unknown to the configured KeyIdCryptoService.

Usage

Annotate the attribute with @Convert(converter = JeapCryptoStringConverter.class):

@Entity
public class Document {

@Id
private String id;

@Convert(converter = JeapCryptoStringConverter.class)
private String secret;
}

The column must accept binary data (byte[]). null is mapped to null and an empty string to an empty byte array (and vice versa); non-empty values are encrypted/decrypted via the configured key.