Getting started
This page shows how to add jEAP Crypto to a Spring Boot service and encrypt and decrypt data. For the bigger picture see Architecture; for the full property list see the Configuration reference.
jEAP Crypto encrypts byte arrays client-side with AES-256-GCM. The data key used for the actual
encryption is wrapped (encrypted) by a wrapping key managed in a Key Management Service (KMS) — either
HashiCorp Vault or AWS KMS — and stored together with the ciphertext. You configure one or more
wrapping keys; the starter then registers a CryptoService bean per key.
1. Add the starter
Pick the starter for your KMS. For Vault, also add the jEAP Vault starter, which configures the connection to Vault.
<!-- HashiCorp Vault -->
<dependency>
<groupId>ch.admin.bit.jeap</groupId>
<artifactId>jeap-spring-boot-vault-starter</artifactId>
</dependency>
<dependency>
<groupId>ch.admin.bit.jeap</groupId>
<artifactId>jeap-crypto-vault-starter</artifactId>
</dependency>
<!-- AWS KMS (alternative to Vault) -->
<dependency>
<groupId>ch.admin.bit.jeap</groupId>
<artifactId>jeap-crypto-aws-kms-starter</artifactId>
</dependency>
The version is managed by the jEAP Spring Boot parent. jEAP Crypto with Vault requires the Transit secrets engine to be enabled on the Vault instance.
2. Configure a wrapping key
Each wrapping key gets a logical name under keys.<keyName>. The example configures one Vault key
named myDb. See Configuration reference for AWS KMS and all options.
jeap:
vault:
system-name: "testapp"
crypto:
vault:
# default-secret-engine-path defaults to "transit/${jeap.vault.system-name}"
keys:
myDb:
key-name: "testapp-my-database-key" # name of the wrapping key in Vault
3. Encrypt and decrypt
For each configured wrapping key a CryptoService bean named <keyName>CryptoService is registered.
With a single key you can inject by type; with several keys use a @Qualifier.
@Component
@RequiredArgsConstructor
class DocumentStore {
@Qualifier("myDbCryptoService")
private final CryptoService cryptoService;
void store(byte[] plaintext) {
byte[] container = cryptoService.encrypt(plaintext); // self-describing crypto container
storage.store(container);
}
byte[] load(String path) {
byte[] container = storage.read(path);
return cryptoService.decrypt(container);
}
}
The returned container holds the wrapped data key, the ciphertext and metadata (such as the nonce).
With the CryptoService the wrapping key is taken from configuration and not stored in the container —
see Crypto APIs for KeyIdCryptoService and KeyReferenceCryptoService, which select
the key at runtime.
4. Disable encryption in tests
Set jeap.crypto.disabledForTestEnv: true to make encrypt/decrypt pass the input through
unchanged, so no KMS instance is needed in tests. This is rejected when the abn or prod Spring
profile is active.