Jasypt is an open-source encryption framework for use with Hibernate.
Ken’s got a blog post that gives a quick overview of Jasypt.
I have twice been asked to summarize how we encrypt data in the database. The short answer is “I don’t really know”, since jasypt takes care of all the details for us. I lost my first write-up so I’m keeping notes here while I write my second.
Here’s the code we use to define the encryptor in our Spring configuration file:
<bean id="hibernateStringEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor"> <property name="password" value="ThisIsntMyRealPassword"/> <property name="saltGenerator"> <bean class="org.jasypt.salt.RandomSaltGenerator"/> </property> </bean>
Since we don’t specify an algorithm or very many details, we have to figure out what the default implementation of a jasypt encryptor uses.
Here’s the javadoc.
The StandardPBEStringEncryptor defers all encryption to StandardPBEByteEncryptor. The latter class has several default settings that are interesting:
/** * The default algorithm to be used if none specified: PBEWithMD5AndDES. */ public static final String DEFAULT_ALGORITHM = "PBEWithMD5AndDES"; /** * The default number of hashing iterations applied for obtaining the * encryption key from the specified password, set to 1000. */ public static final int DEFAULT_KEY_OBTENTION_ITERATIONS = 1000; /** * The default salt size, only used if the chosen encryption algorithm * is not a block algorithm and thus block size cannot be used as salt size. */ public static final int DEFAULT_SALT_SIZE_BYTES = 8;
PBEWithMD5AndDES is a reference to the PKCS #5: Password-Based Cryptography Standard.
Additionally, the random salt generator uses the SHA1PRNG algorithm to generate secure salts. SHA1PRNG is a Sun proprietary pseudo-random number generator that’s based on the SHA1 hashing algorithm.