I have always done my encryption at the application level.
I think there are a number of reasons why this makes the most sense.
Here are some tips from my past experience:
1) clump multiple kinds of data together, and/or randomly add data.
Encrypting a single field value by itself generally doesn't provide
enough variation to be secure.
For example, rather than encrypting a credit card number in one place
and an expiration date in another, encrypt all logical fields into one
physical field. I actually go a step further and encrypt all
credit-card-related sensitive information which yields a long string.
You can then randomly add data to the beginning, end, and middle of
your data string to further secure it either before encrypting, after
encrypting, or both.
2) Prefix your encrypted data string with versioning information.
At some point, you are going to need to change your encryption. It's
a lot easier to do this, if which algorithm to use is part of the
data. You can then provide backwards compatibility for older data
until such time, if ever, that you re-encrypt it using a newer
algorithm. You might need to do this because of a defect in your
algorithm, because you've added new data fields, or because you need
to replace your encryption key.
3) Remember that encrypted fields cannot be searched or sorted in the
database, and that providing a search index of any kind will weaken
your encryption. This is the tradeoff of encrypting data.
4) Remember to only work with the decrypted data as character arrays,
not as Strings, once you've pulled it out, to avoid it sticking around
in memory.
Here's a broad overview of the important methods you'd want to
implement. It will take some work to provide your own implementation,
and for obvious reasons, I will not provide mine, but it will give you
a very flexible system when you are finished.
package utilities.encryption;
public class DataBlockEncryptionManager {
protected String findVersion(String encryptedData)
throws EncryptionException
{
}
/**
* Find and decrypt item in encrypted data block.
*
* @param encryptedData
* @param itemIndex from 0 to last item
* @return char array containing decrypted item, may be null if no
data in block.
* @throws EncryptionException
*/
public char[] decryptDataBlock(String encryptedData, int itemIndex)
throws EncryptionException
{
}
/**
* encrypt item in encrypted data block.
*
* @param encryptedData String containing previous encrypted block,
null to create new block
* @param itemIndex from 0 to last item of item to encrypt
* @param newValue to add to block
* @return String containing encrypted block
* @throws EncryptionException
*/
public String encryptDataBlock(String encryptedData, int itemIndex,
char[] newValue)
throws EncryptionException
{
}
}
And write some tests to prove that these work for all kinds of
different situations. Something like permutations of the following:
public void test_encryptDataBlockThenDecrypt() throws EncryptionException
{
String encryptedData = null;
char[] value1 = "The quick brown fox jumped".toCharArray();
String encryptedData2 = instance.encryptDataBlock(encryptedData,
0, value1);
char[] value2 = "over the".toCharArray();
encryptedData2 = instance.encryptDataBlock(encryptedData2, 1, value2);
char[] value3 = "lazy dog".toCharArray();
encryptedData2 = instance.encryptDataBlock(encryptedData2, 2, value3);
char[] value1D = instance.decryptDataBlock(encryptedData2, 0);
ArrayAssert.assertEquals(value1, value1D);
char[] value2D = instance.decryptDataBlock(encryptedData2, 1);
ArrayAssert.assertEquals(value2, value2D);
char[] value3D = instance.decryptDataBlock(encryptedData2, 2);
ArrayAssert.assertEquals(value3, value3D);
}
On Fri, Oct 5, 2012 at 10:37 AM, kadali narendra
<[email protected]> wrote:
>
> Hi All,
>
> I would like to know is there any way Cayenne supports MySQL DB
> encryption/decryption seamlessly. Or else is there any third party libraries
> like Jasypt is available, which we can use for encryption purpose.
>
> I know Jasypt can be integrated with Hibernate for encrypting/decrypting the
> data stored in db thus providing db independence. So I don't have to worry
> about on which db vendor I am using when deploying my application. I am
> looking similar kind of libraries which is available for Cayenne.
>
> If any one happens to know such libraries please let me know. And also please
> share your thoughts on encryption process on db + using cayenne.
>
> Thanks in advance for your help! :)
>
> - Naren
>
