cayenne-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aristedes Maniatis <>
Subject Re: cayenne-crypto
Date Sat, 05 Apr 2014 13:23:50 GMT
Very nice.

1. At the moment Cayenne is clever enough not to save objects to the database if no actual
changes are made to that object in the context. Will this encryption change this in any way?
Will Cayenne still know which objects are unchanged?

2. Why did you decide to go down the regex path instead of some annotation or property in
the model to decide which columns to encrypt?

3. What happens with searching on these columns? Does your patch address any strategy to perform
queries in memory or is that up to the developer to sort out?


On 4/04/2014 11:21pm, Andrus Adamchik wrote:
> So the crypto module is done and available on trunk. Here is a minimal configuration
that will do AES/CBC encryption:
> 1. Create a keystore and generate a secret key in it:
>   keytool -genseckey -keystore /tmp/ks1.jceks -storetype JCEKS -alias mykey
> 2. Start Cayenne with crypto:
>   // this can also be a URL or a String representing URL
>   File keyStore = new File("/tmp/ks1.jceks”); 
>   // obtain this somehow
>   char[] keyPassword = .. 
>   // “mykey” is the key alias in #1
>   Module crypto = new CryptoModuleBuilder().keyStore(keyStore, keyPassword, “mykey").build();
>   // this will enable encryption/decryption for all columns matching ^CRYPTO_ regex
>   // those must be either character or binary columns
>   ServerRuntime  runtime = new ServerRuntime(“cayenne-myproject.xml", crypto);
> So just 3 lines of code give you the encryption. Of course it is fully customizable.
See ‘CryptoModuleBuilder’ for what can be extended. Also the code is pretty raw, so it
may break or may be refactored as we find bugs. I still need to study the performance and
tweak as needed. Also there are certain strategies are not yet available. E.g. we only support
block ciphers in CBC mode (as this is what I am planning to use in my apps). We will add support
for ECB and also streaming ciphers eventually.
> But … everyone is free to give it a try ;) 
> Andrus

Aristedes Maniatis
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A

View raw message