CYBERCRYPT D1 for JPA
The integration works by encrypting and decrypting data transparently, using CYBERCRYPT D1 Generic when querying or storing in the database. Selected parts of the data is encrypted from the application to the database in such a way that the database itself never receives the data in plain text.
This protects the data in the database from being read by third parties and tampering.
Supported versions
Any JPA spec implementation of version 2.2 and up is supported, including Hibernate ORM and EclipseLink.
Installation
To download and install the integration library from the Maven Central Repository, add the following dependency to your build.gradle
file:
implementation 'io.cybercrypt.d1:d1-jpa:1.0.0'
Usage
To use the D1 integration for JPA, first you have to inject a Supplier<D1GenericClient>()
into the D1CryptoConverter
class:
D1CryptoConverter.setClientSupplier(new Supplier<D1GenericClient>() {
@Override
public D1GenericClient get() {
return d1GenericClient;
}
});
and then you have to annotate the entity fields to be encrypted with the corresponding converter:
@Convert(converter = StringD1CryptoConverter.class)
@Column(name = "last_name", nullable = true, length = 300)
private String lastName;
Currently, only the encryption of String
and byte[]
attributes is supported.
Migration
A utility class is provided for migrating existing data to encrypted columns. The migration process consists of the following steps:
- Create new columns in the database for the encrypted attributes, initializing them with
NULL
; - Update the entity classes with the encrypted attributes annotated with the corresponding CryptoConverter base class;
- Update the
NULL
values in the newly added columns with the encrypted data from the corresponding plaintext columns using the following method:
Migrator.Migrate(entityManagerFactory, Entity.class, "attributeName", "encryptedAttributeName", 100);
The Migrate
method can be safely called multiple times as it will only update the NULL
values in the encrypted columns, creating a transaction for every processed batch.