Discussions

News: Jasypt 1.0 released: simple encryption + hibernate integration

  1. Jasypt (Java Simplified Encryption) is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works. A quick overview:
    • It follows the RSA standards for Password-Based Cryptography.
    • It is completely thread-safe.
    • Can be both used in an "easy" way, with almost no difficulty, or in a highly-configurable, power-user way.
    • It provides comprehensive guides and javadoc documentation, to allow developers to better understand what they are really doing to their data.
    • It provides a Hibernate integration add-on (jasypt-hibernate) for persisting fields of your mapped entities in an encrypted manner. Encryption of fields is defined in the Hibernate mapping files, and it remains transparent for the rest of the application (useful for sensitive personal data, databases with many read-enabled users...)
    • It can be perfectly integrated into a Spring application. All the digesters and encryptors in jasypt are designed to be easily used (instantiated, dependency-injected...) from an IoC container like Spring. And, because of it being thread-safe, they can be used without worries in a singleton-oriented environment like Spring.
    • It allows a very high lever of configurability: The developer can implement tricks like instructing an "encryptor" to ask a, for example, remote HTTPS server for the password to be used for encryption.
    You can have a look at it at http://www.jasypt.org.
  2. Interesting. I am curious as to the overhead. And does it work if I do projections/report queries. I guess I will have to read a we bit. It sounds like a good way to enforce use of the API. :)
  3. Hello Mark, thanks for your interest. Overhead... well, if you need to encrypt the data you are storing, you will have to encrypt and decrypt it even if you are not using jasypt :-)... anyway, I designed jasypt trying to obtain good performance, I tried not to forget that aspect. About report queries... according to the Reference Docs, the Hibernate API lets you do things like: sess.createSQLQuery("SELECT * FROM CATS") .addScalar("ID", Hibernate.LONG) .addScalar("NAME", Hibernate.STRING) .addScalar("BIRTHDATE", Hibernate.DATE) So there should be no problem to specify that one of those fields is of "EncryptedTextType" type, and let Hibernate apply encryption. Regards, Daniel.
  4. It is not as much a need as a desire. I'd love to prevent people from bypassing the domain layer. As for "report queries" they are like this: select person.lastName, person.firstName from Person as person Since just Strings are returned (in this instanace) and no POJOs are created, I wasn't sure if anything additional in the mapping would be applied. Guess I should give it a whirl.