Hibernate - Store a column as encrypted, and decrypt only on runtime

Question

I have a database column that needs to be encrypted, when passed from a hibernate backed webapp. The webapp is on tomcat 6, Hibernate 4, and Mysql as the backing store.

The problem however is that the password to encrypt/decrypt this field will only be available at runtime of the program. Initially I had hoped to use the AES_ENCRYPT/DECRYPT methods, outlined quite well here:

DataBase encryption in Hibernate

and here:

http://docs.jboss.org/hibernate/core/3.6/reference/en-US/html/mapping.html#mapping-column-read-and-write

(Though this does refer to version 3.6 of hibernate, I believe it should be the same in 4.0).

However, since this uses the following notation:

@Column(columnDefinition= "LONGBLOB", name="encryptedBody") 
@ColumnTransformer(
  read="AES_DECRYPT(encryptedBody, 'password')", 
  write="AES_ENCRYPT(?, 'password')")
public byte[]  getEncryptedBody() {
    return encryptedBody;
}

public void setEncryptedBody(byte[]  encryptedBody) {
    this.encryptedBody = encryptedBody;
}

This requires that the password be specified in the annotation itself, and cannot be a variable.

Is there a way to use the database methods through hibernate in this manner, but with the password as a variable? Is there a better approach?

Answer 1

Currently there is not a way to parameterize the pieces of the read/write fragments. They are more meant as general purpose solutions. We have discussed adding support for @Encrypted in Hibernate that would roughly act like you suggest. @Encrypted would give more flexibility, like in-vm crypto versus in-db crypto, parameterization, etc.

JPA 2.1 also has a feature you could use, called attribute converters. They would only be able to apply in-vm crypto however.