Grails Jasypt Encryption

by Ted Naleid

Who am I?

Overview

What is it?

Why did we need it?

Advantages

Limitations

How is it used?

What Is It?

grails plugin that integrates strong encryption into GORM

allows field-level encryption on any domain object or field type

import com.bloomhealthco.jasypt .GormEncryptedStringType

class Member { String name String ssn

static mapping = { ssn type: GormEncryptedStringType }}

integrated into domain objects

built on Jasypt Simplified Encryption framework

Jasypt leverages Java Cryptography Extensions (JCE)

Bouncy Castle JCE provider jar included

(you can still use any JCE compatible encryptors you want)

Why did we need it?

constant automated hacking attempts happen on every computer

on the public internet

cloud computing potentially adds security weak points

if you have users, you have data to protect

social security numbers

medical claims/PHI

credit card numbers

birth dates

security question answers

full disk encryption has many drawbacks and limitations

field level encryption lets you protect the sensitive things – everything else is at full speed

don’t need to outrun the bear

advantages

encrypt only what you need to

strongly protects info even if your database gets rooted or someone

steals a database dump

painless integration into your domain

Limitations

encrypted fields take up extra space in database

import com.bloomhealthco.jasypt .GormEncryptedStringType

class Member { String name String ssn

static mapping = { ssn type: GormEncryptedStringType }

static constraints = { ssn( matches: '^\\d{3}-\\d{2}-\\d{4}$', maxSize: 44 // unencrypted 11 ) }}

currently need to use two grails

validators

breaks using field in WHERE clause(so dynamic finders for this field don’t work)

How is it used?

grails install-plugin jasypt-encryption

how do I install it?

// add to Config.groovy or external config file

jasypt { algorithm = "PBEWITHSHA256AND128BITAES-CBC-BC" providerName = "BC" password = "<my super secret passphrase>" keyObtentionIterations = 1000}

how do I configure it?

% cat default_local.policy // Some countries have import limits on crypto strength. This policy file is worldwide importable.grant { permission javax.crypto.CryptoPermission "DES", 64; permission javax.crypto.CryptoPermission "DESede", *; permission javax.crypto.CryptoPermission "RC2", 128, "javax.crypto.spec.RC2ParameterSpec", 128; permission javax.crypto.CryptoPermission "RC4", 128; permission javax.crypto.CryptoPermission "RC5", 128, "javax.crypto.spec.RC5ParameterSpec", *, 12, *; permission javax.crypto.CryptoPermission "RSA", *; permission javax.crypto.CryptoPermission *, 128;};

what encryption does Java allow by default?

% cat default_local.policy // Country-specific policy file for countries with no limits on crypto strength.grant { // There is no restriction to any algorithms. permission javax.crypto.CryptoAllPermission; };

what you actually want(download “unlimited” crypto jar from Sun^wOracle)

import com.bloomhealthco.jasypt.GormEncryptedStringType

class Member { String name String ssn

static mapping = { ! ssn type: GormEncryptedStringType }}

after that, it’s easy

all encrypted values stored as strings in the database

java.lang.String supported out of the box

just implement 3 methods

protected Object convertToObject(String)

protected String convertToString(Object)

public Class returnedClass()

encrypt your own objects

import org.jasypt.hibernate.type.AbstractGormEncryptedStringType

public class GormEncryptedMyObjectType extends AbstractGormEncryptedStringType {

protected Object convertToObject(String string) { new MyObject(string) }

protected String convertToString(Object object) {MyObject.toString()

}

public Class returnedClass() { MyObject }}

create your own GORM encrypted type

class Foo { MyClass value

static mapping = { ! value type: GormEncryptedMyObjectType }}

then use it in your mapping

Quick Demo

Links

Grails Jasypt Pluginhttp://bitbucket.org/tednaleid/grails-jasypt/wiki

Jasypthttp://www.jasypt.org/

Bouncy Castle (AES)http://www.bouncycastle.org/java.html

Unlimited Strength Jars http://www.oracle.com/technetwork/java/javase/downloads/index.html (under “other”)

Questions?