Recently I had to evaluate an older encryption service that existed in an Java app. The service was written in the early days when the JCE was relatively new and it used BouncyCastle as the provider. While coded quite well the service had code which handled all sorts of the low level JCE stuff like x509 certificate generation, keystore management, key generation.
Regardless I figured there must be some higher level library out there by now which handles all this low level stuff, provides some higher level solid encryption and digestion methods and could simply be a drop in replacement. All the later, likely are being developed by folks who stay on top of all the latest in the JCE security & encryption field.
After doing some research I came across Jasypt: Simplified Java Encryption. Jasypt provides exactly the kind of drop in security/encryption module replacement I was looking for. It provides several high-level encryption and digestion api’s that just work out of the box and are quite secure. Jasypt is thread safe, works with Hibernate, Spring and you can drop in any JCE provider you like.
The high level “out of the box” password and text encryption methods that Jasypt provides (click here) are there for those of you who are short on time. However after doing some testing, if you have to encrypt a large volume of data (even if the fields are small), I must say that the slowdown difference between
StrongPasswordEncryptor is about a factor of a 10. Why? Well the Strong version is doing 10,000 iterations vs. 1000 on the Basic version. Regardless, if the high-level methods don’t quite do the exact job you need to do (as in my case), you can always do your own custom encryption based on different algorithms, salts, iterations etc.
Another nice feature of the library is if you have a need for PBE (password based encryption). For example, your application requires a special password to use a private key to decrypt/encrypt data at runtime. Rather than store that sensitive password somewhere on disk or in a config file, you can use Jasypt’s Web PBE Configuration to set the password at deployment time via a web-interface.
All in all if you are looking at doing a custom implementation that uses the JCE, I highly recommend you take a look at starting with Jasypt and go from there. These guys have the details nailed down, while still allowing you to get under the hood, or stay at a higher level and being confident you are getting proper encryption.
Lastly, I also recommend you read Jasypt’s primer on proper password encryption.