I'm creating a db that stores encrypted pwds. I need to be able to dycrypt them. I plan on using DB2's encrypt and decrypt command, but our company uses JPA to connect to the DB and while I know I could use @NamedQueries( to specifically state my queries, I wonder if JPA has a default that I should use. I'm new to JPA. Could you point me in the right direction?

Hi,

I don't think there's an encryption/decryption support in JPA.
You would have to do the encryption in the business/service layer as opposed to domain/data layer.

What we usually do is use an api (SAAJ, etc) to encrypt password when they are inserted.
When retrieving, the password supplied is encrypted and compared to the encrypted string in the database,
and the user is allowed to login.
This means there is really no need for decryption.

I guess I wasn't clear upon the purpose of my task. The passwords being stored are not to be used to compare for logins. They are being used to track application logins into servers. We have a problem where the passwords expired and our apps fail and we have only one person who knows what the old password is or can reset it. I know that app passwords should be non-expiring but there are various reasons that it is difficult to achieve. Our apps also have to access servers that are not under our control and we need to be able to track those as well. As a result, they do need to be decrypted so that an authorized person can read them in the clear.

Hi Kari,

To be able to decrypt the existing password, you can read the encrypted string from the database using JPA,
then decrypt it in the service layer.

The above solution will work although I have concerns about security.
The majority of applications/system consider it a security issue to send a customer's existing password by email.
What's stopping anyone from running this service to get customer's passwords?

Most would have a security question and answer filled up during registration.
When the customer forgets password, he supplies his username, security question/answer,
and a randomly generated password is emailed to him.
He will be forced to immediately change the password after he logins.

Where would I go to find how to decrypt the password in the service layer? Remember the passwords I'm keeping track of are passwords used by batch applications and not user passwords to the applications that control those batch programs.The e-mail will not contain the password - only a warning that the password is scheduled to expire so that someone can take action to reset the passwords so that the batch programs won't fail. There is a separate password system that controls access to all of these apps.

The SecurityFaq points to some resources about JCE, the standard Java API for cryptography. Of course, encryption/decryption requires a key, so the problem of protecting passwords has now been transformed into the problem of protecting the encryption key.

I finally found my solution: use JPA's executeNativeQuery and build my own query with the required DB2 encryption and decryption phrases. The encryption key will be stored as part of the build.