Skip to main content

CYBERCRYPT D1 for JPA

The integration works by encrypting and decrypting data transparently, using CYBERCRYPT D1 Generic when querying or storing in the database. Selected parts of the data is encrypted from the application to the database in such a way that the database itself never receives the data in plain text.

This protects the data in the database from being read by third parties and tampering.

Supported versions

Any JPA spec implementation of version 2.2 and up is supported, including Hibernate ORM and EclipseLink.

Installation

To download and install the integration library from the Maven Central Repository, add the following dependency to your build.gradle file:

implementation 'io.cybercrypt.d1:d1-jpa:1.0.0'

Usage

To use the D1 integration for JPA, first you have to inject a Supplier<D1GenericClient>() into the D1CryptoConverter class:

D1CryptoConverter.setClientSupplier(new Supplier<D1GenericClient>() {
        @Override
        public D1GenericClient get() {
            return d1GenericClient;
        }
    });

and then you have to annotate the entity fields to be encrypted with the corresponding converter:

@Convert(converter = StringD1CryptoConverter.class)
@Column(name = "last_name", nullable = true, length = 300)
private String lastName;

Currently, only the encryption of String and byte[] attributes is supported.

Migration

A utility class is provided for migrating existing data to encrypted columns. The migration process consists of the following steps:

  1. Create new columns in the database for the encrypted attributes, initializing them with NULL;
  2. Update the entity classes with the encrypted attributes annotated with the corresponding CryptoConverter base class;
  3. Update the NULL values in the newly added columns with the encrypted data from the corresponding plaintext columns using the following method:
Migrator.Migrate(entityManagerFactory, Entity.class, "attributeName", "encryptedAttributeName", 100);

The Migrate method can be safely called multiple times as it will only update the NULL values in the encrypted columns, creating a transaction for every processed batch.