In my Java based web-app I would like to encrypt some data before it is written to DB and decrypt it once loaded back to memory. To do that I used bouncycastle API and created a class that looks like this:
public class BlowfishEnrypter implements IEncrypter {
/*--- Members ---*/
private BufferedBlockCipher cipher;
private KeyParameter key;
/*--- Constructors ---*/
/**
* Initialize the cryptographic engine. The key array should be at least 8
* bytes long.
*
* @param key
*/
public BlowfishEnrypter(byte[] key) {
cipher = new BufferedBlockCipher(new CBCBlockCipher(new BlowfishEngine()));
this.key = new KeyParameter(key);
}
/**
* Initialize the cryptographic engine. The key array should be at least 8
* bytes long.
*
* @param key
*/
public BlowfishEnrypter(String key) {
this(key.getBytes());
}
/*--- Public ---*/
/**
* {@inheritDoc}
*/
public String encrypt(String input) throws EncryptionException {
if (StringUtils.hasText(input)) {
byte[] bytes = Hex.decode(input);
try {
return new String(encrypt(bytes));
} catch (CryptoException e) {
throw new EncryptionException("Error occured while trying to encrypt", e);
}
} else {
throw new EncryptionException("Illegal argument for encryption: " + input);
}
}
/**
* {@inheritDoc}
*/
public String decrypt(String input) throws EncryptionException {
if (StringUtils.hasText(input)) {
byte[] bytes = Hex.decode(input);
try {
return new String(decrypt(bytes));
} catch (CryptoException e) {
throw new EncryptionException("Error occured while trying to decrypt", e);
}
} else {
throw new EncryptionException("Illegal argument for decryption: " + input);
}
}
/*--- Private ---*/
/**
* Encrypt arbitrary byte array, returning the encrypted data in a different
* byte array.
*
* @param data
* @return Encrypted byte array
* @throws CryptoException
*/
private synchronized byte[] encrypt(byte[] data) throws CryptoException {
if (data == null || data.length == 0) {
return new byte[0];
}
cipher.init(true, key);
return callCipher(data);
}
/**
* Decrypts arbitrary data
*
* @param data
* To decrypts
* @return Decrypted byte array
* @throws CryptoException
*/
private synchronized byte[] decrypt(byte[] data) throws CryptoException {
if (data == null || data.length == 0) {
return new byte[0];
}
cipher.init(false, key);
return callCipher(data);
}
/**
* Private routine that does the gritty work.
*
* @param data
* Data to operate on
* @return Processed byte array
* @throws CryptoException
*/
private byte[] callCipher(byte[] data) throws CryptoException {
int size = cipher.getOutputSize(data.length);
byte[] result = new byte[size];
int olen = cipher.processBytes(data, 0, data.length, result, 0);
olen += cipher.doFinal(result, olen);
if (olen < size) {
byte[] tmp = new byte[olen];
System.arraycopy(result, 0, tmp, 0, olen);
result = tmp;
}
return result;
}
}
So far so good (I think so, if you have any comments on this class please go ahead). To initialize this class I should provide a key. My question would be – How should I manage this key?
To be more specific:
- Should I create it using a specific technique?
- Where should I store it? In a properties file? in the DB? somewhere in my code?
- should this key (we are talking about a string here, right?) be encrypted and then decrypted once it is loaded or used? If so how should I do that?
Depends on a number of things:
Not sure why you would want to encrypt the actual key though because where will you put the key to secure the original key?
The better thing to do though is look at Java SE security to see what, such as the Java Keystore, can do for you. Furthermore you can also read resources on bouncy castle’s website which might be helpful.