Embed Size (px)
DESCRIPTION
The Jasypt Encryption plugin for Grails allows field level encryption in your database. It's integrated into GORM/Hibernate for ease of use. It can also be extended to encrypt any type of information you store in your database.
Citation preview
Grails Jasypt Encryption
by Ted Naleid
Who am I?
Overview
What is it?
Why did we need it?
Advantages
Limitations
How is it used?
What Is It?
grails plugin that integrates strong encryption into GORM
allows field-level encryption on any domain object or field type
import com.bloomhealthco.jasypt .GormEncryptedStringType
class Member { String name String ssn
static mapping = { ssn type: GormEncryptedStringType }}
integrated into domain objects
built on Jasypt Simplified Encryption framework
Jasypt leverages Java Cryptography Extensions (JCE)
Bouncy Castle JCE provider jar included
(you can still use any JCE compatible encryptors you want)
Why did we need it?
constant automated hacking attempts happen on every computer
on the public internet
cloud computing potentially adds security weak points
if you have users, you have data to protect
social security numbers
medical claims/PHI
credit card numbers
birth dates
security question answers
full disk encryption has many drawbacks and limitations
field level encryption lets you protect the sensitive things – everything else is at full speed
don’t need to outrun the bear
advantages
encrypt only what you need to
strongly protects info even if your database gets rooted or someone
steals a database dump
painless integration into your domain
Limitations
encrypted fields take up extra space in database
import com.bloomhealthco.jasypt .GormEncryptedStringType
class Member { String name String ssn
static mapping = { ssn type: GormEncryptedStringType }
static constraints = { ssn( matches: '^\\d{3}-\\d{2}-\\d{4}$', maxSize: 44 // unencrypted 11 ) }}
currently need to use two grails
validators
breaks using field in WHERE clause(so dynamic finders for this field don’t work)
How is it used?
grails install-plugin jasypt-encryption
how do I install it?
// add to Config.groovy or external config file
jasypt { algorithm = "PBEWITHSHA256AND128BITAES-CBC-BC" providerName = "BC" password = "<my super secret passphrase>" keyObtentionIterations = 1000}
how do I configure it?
% cat default_local.policy // Some countries have import limits on crypto strength. This policy file is worldwide importable.grant { permission javax.crypto.CryptoPermission "DES", 64; permission javax.crypto.CryptoPermission "DESede", *; permission javax.crypto.CryptoPermission "RC2", 128, "javax.crypto.spec.RC2ParameterSpec", 128; permission javax.crypto.CryptoPermission "RC4", 128; permission javax.crypto.CryptoPermission "RC5", 128, "javax.crypto.spec.RC5ParameterSpec", *, 12, *; permission javax.crypto.CryptoPermission "RSA", *; permission javax.crypto.CryptoPermission *, 128;};
what encryption does Java allow by default?
% cat default_local.policy // Country-specific policy file for countries with no limits on crypto strength.grant { // There is no restriction to any algorithms. permission javax.crypto.CryptoAllPermission; };
what you actually want(download “unlimited” crypto jar from Sun^wOracle)
import com.bloomhealthco.jasypt.GormEncryptedStringType
class Member { String name String ssn
static mapping = { ! ssn type: GormEncryptedStringType }}
after that, it’s easy
all encrypted values stored as strings in the database
java.lang.String supported out of the box
just implement 3 methods
protected Object convertToObject(String)
protected String convertToString(Object)
public Class returnedClass()
encrypt your own objects
import org.jasypt.hibernate.type.AbstractGormEncryptedStringType
public class GormEncryptedMyObjectType extends AbstractGormEncryptedStringType {
protected Object convertToObject(String string) { new MyObject(string) }
protected String convertToString(Object object) {MyObject.toString()
}
public Class returnedClass() { MyObject }}
create your own GORM encrypted type
class Foo { MyClass value
static mapping = { ! value type: GormEncryptedMyObjectType }}
then use it in your mapping
Quick Demo
Links
Grails Jasypt Pluginhttp://bitbucket.org/tednaleid/grails-jasypt/wiki
Jasypthttp://www.jasypt.org/
Bouncy Castle (AES)http://www.bouncycastle.org/java.html
Unlimited Strength Jars http://www.oracle.com/technetwork/java/javase/downloads/index.html (under “other”)
Questions?
