public interface EncryptedDataService
Service for encrypting/decrypting
EncryptedData and handling versioned secret keys.-
Method Summary
Modifier and TypeMethodDescriptionvoidCreates a new key for the given identifier.@jakarta.validation.constraints.NotEmpty byte[]decrypt(@NotNull EncryptedData encryptedData) Decrypts the data using the information provided by the parameter.encrypt(@NotEmpty String keyId, @NotEmpty String dataType, @NotEmpty String contentType, @jakarta.validation.constraints.NotEmpty byte[] data) Encrypts some data using a dedicated key.getKeyVersion(@NotEmpty String keyId) Returns the current version of the given identifier.booleanDetermines if a key for the given identifier exists.Rotates the existing key by creating a new one as the next version.
-
Method Details
-
keyExists
Determines if a key for the given identifier exists.- Parameters:
keyId- Identifier to test for.- Returns:
- TRUE if the key is known and can be used for encryption.
-
createKey
Creates a new key for the given identifier.- Parameters:
keyId- Identifier to create a new secret key for.- Throws:
DuplicateEncryptionKeyIdException- The given ID already exists and a key cannot be created again.
-
rotateKey
Rotates the existing key by creating a new one as the next version.- Parameters:
keyId- Key identifier to create a new secret key.- Returns:
- The new version of the key.
- Throws:
EncryptionKeyIdUnknownException- The given key identifier is unknown.
-
getKeyVersion
Returns the current version of the given identifier.- Parameters:
keyId- Key ID to return the version for.- Returns:
- Version of the given identifier.
- Throws:
EncryptionKeyIdUnknownException- The given key identifier is unknown.
-
encrypt
EncryptedData encrypt(@NotEmpty @NotEmpty String keyId, @NotEmpty @NotEmpty String dataType, @NotEmpty @NotEmpty String contentType, @NotEmpty @jakarta.validation.constraints.NotEmpty byte[] data) throws EncryptionKeyIdUnknownException Encrypts some data using a dedicated key. The encrypter will use the latest available version of key and initialization vector. The only arguments used actively for encryption are thekeyIdand thedatabyte array. The rest of the arguments is only stored for information purposes in the resulting data structure.- Parameters:
keyId- Unique identifier of a key to use.dataType- Unique type of the data like "UserPersonalData" or even a fully qualified class name.contentType- Content type like "application/json; encoding=UTF-8; version=1".data- Data to encrypt.- Returns:
- Encrypted data.
- Throws:
EncryptionKeyIdUnknownException- The given key identifier is unknown.
-
decrypt
@NotEmpty @jakarta.validation.constraints.NotEmpty byte[] decrypt(@NotNull @NotNull EncryptedData encryptedData) throws EncryptionKeyIdUnknownException, EncryptionKeyVersionUnknownException, DecryptionFailedException Decrypts the data using the information provided by the parameter. The data itself will only be decrypted, means no transformation in regard to mime and data type will take place. It's up to the caller to use this information to transform the returned byte array to the target type.- Parameters:
encryptedData- Encrypted data and meta information about it.- Returns:
- Decrypted data.
- Throws:
EncryptionKeyIdUnknownException- The given key identifier is unknown.EncryptionKeyVersionUnknownException- The given version of the key is unknown.DecryptionFailedException- Decrypting the data using they key, version and (optional) IV version failed.
-