Also some early performance data. In my tests with a local DB and a mix of
select/insert operations using AES with 128-bit key wasn’t noticeably slower
than using no encryption at all. Using 256-bit key resulted in 10% overhead.
While these are great results, take it with a grain of salt for now until we
get more use cases and start using it in production.
Andrus
On Apr 4, 2014, at 3:21 PM, Andrus Adamchik <and...@objectstyle.org> wrote:
> So the crypto module is done and available on trunk. Here is a minimal
> configuration that will do AES/CBC encryption:
>
> 1. Create a keystore and generate a secret key in it:
>
> keytool -genseckey -keystore /tmp/ks1.jceks -storetype JCEKS -alias mykey
>
> 2. Start Cayenne with crypto:
>
> // this can also be a URL or a String representing URL
> File keyStore = new File("/tmp/ks1.jceks”);
>
> // obtain this somehow
> char[] keyPassword = ..
>
> // “mykey” is the key alias in #1
> Module crypto = new CryptoModuleBuilder().keyStore(keyStore, keyPassword,
> “mykey").build();
>
> // this will enable encryption/decryption for all columns matching ^CRYPTO_
> regex
> // those must be either character or binary columns
> ServerRuntime runtime = new ServerRuntime(“cayenne-myproject.xml", crypto);
>
>
> So just 3 lines of code give you the encryption. Of course it is fully
> customizable. See ‘CryptoModuleBuilder’ for what can be extended. Also the
> code is pretty raw, so it may break or may be refactored as we find bugs. I
> still need to study the performance and tweak as needed. Also there are
> certain strategies are not yet available. E.g. we only support block ciphers
> in CBC mode (as this is what I am planning to use in my apps). We will add
> support for ECB and also streaming ciphers eventually.
>
> But … everyone is free to give it a try ;)
>
> Andrus
>
>
