Encrypting columns in a database using jasypt

For our project we needed to encrypt a number of columns in the database for security purposes and tried out a tool called Jasypt and were able to meet our encryption requirements in under a day. Here are the changes we made to get it to work.

  1. Increase size of columns to be be encrypted in database. (3x was not large enough, 10x was large enough). Change type of non-varchar columns to varchar.
  2. Add the following dependency to your pom.xml
    <dependency>
      <groupId>org.jasypt</groupId>
      <artifactId>jasypt</artifactId>
      <version>1.3.1</version>
    </dependency>
  3. In model classes that have encrypted properties, define a new hibernate @Type as follows. In this example, I am encrypting a String property and a Date property. Note that for embedded model classes (i.e. those with the Hibernate @Embedded annotation) the new @Type only needs to be defined in the enclosing class.
    @TypeDef(
    	        name="encrypted_string",
    	        typeClass = org.jasypt.hibernate.type.EncryptedStringType.class,
    	        parameters = {
    	            @Parameter(name="encryptorRegisteredName", value="hibernateStringEncryptor"),
    	        }
    	    ),
    	    @TypeDef(
    		        name="encrypted_date_as_string",
    		        typeClass = org.jasypt.hibernate.type.EncryptedDateAsStringType.class,
    		        parameters = {
    		            @Parameter(name="encryptorRegisteredName", value="hibernateStringEncryptor"),
    		        }
    		    )
    
    	    }
  4. Above each getter of each property in the model class that needs to be encrypted, add annotations as follows.
    @Type(type="encrypted_string")
        public String getFoo() {
            return foo;
        }
        @Type(type="encrypted_date_as_string")
        public Date getFooDate() {
            return fooDate;
        }
  5. Tell Jasypt how to instantiate a hibernateStringEncryptor bean via Spring. Add the following to your Spring configuration file (applicationContext.xml).
    <bean id="hibernateStringEncryptor"
        class="org.jasypt.hibernate.encryptor.HibernatePBEStringEncryptor">
        <property name="registeredName">
            <value>hibernateStringEncryptor</value>
        </property>
        <property name="password">
            <value>yourPasswordGoesHere</value>
        </property>
      </bean>
  6. The way we tested this was we created a record and then read the record back through straight JDBC to confirm that unencrypted columns matched and encrypted columns did not match. Note that on our project I ran into a problem in that at test time, Jasypt was not able to find hibernateStringEncryptor because the hibernateStringEncryptor bean had never been instantiated (in the application server, all the beans are automatically instantiated when the app server starts up). To get around this problem, we added the following line to our test startup method to instantiate one of these beans before running the tests so that the hibernateStringEncryptor got registered with Jasypt.
    getFactory().getBean("hibernateStringEncryptor");

Note that the encryption used in this example is merely “Strong” encryption. If you want to use an even stronger encryption, then you would change

<property name="password">
        <value>yourPasswordGoesHere</value>
    </property>

to the following

<property name="algorithm">
        <value>PBEWithMD5AndTripleDES</value>
    </property>
    <property name="password">
        <value>yourPasswordGoesHere</value>
    </property>
    <property name="keyObtentionIterations">
        <value>1000</value>
    </property>

.

However if you do this, then you will need to change your local_policy.jar and US_export_policy.jar files in your C:Program FilesJavajdk1.5.X_XXjrelibsecurity folder with the “Unlimited Strength Java(TM) Cryptography Extension Policy Files” versions of these files. You can obtain these from Sun by clicking on the “Download” button beside “Java Cryptography Extension (JCE)” in the “Other Downloads” section of This Page.

 

It's only fair to share...
Share on FacebookGoogle+Tweet about this on TwitterShare on LinkedIn

Leave a Reply