BestHub
Sign in
Databases 9 min read

Quick Start Guide to Data Encryption (Masking) with Apache ShardingSphere in Spring and Spring Boot

This article explains how to use Apache ShardingSphere's encryption module to transparently store and query sensitive customer data such as ID numbers and bank cards by configuring encryption rules in Spring or Spring Boot, eliminating manual SQL encryption and simplifying compliance for legacy systems.

Architect's Tech Stack
Architect's Tech Stack
Architect's Tech Stack
Quick Start Guide to Data Encryption (Masking) with Apache ShardingSphere in Spring and Spring Boot

In real business scenarios, databases often need to store sensitive customer information such as ID numbers, bank card numbers, names, and phone numbers, which must be encrypted to meet compliance requirements.

Pain Point 1

Typical solutions require developers to manually encrypt fields in SQL statements before insertion and manually decrypt them during queries, which is cumbersome and tightly couples business development with compliance details.

Pain Point 2

For legacy systems that were launched without data masking, a quick way is needed to achieve compliance with minimal changes, usually involving adding masked columns, migrating data, and adding compatibility logic in the code.

Apache ShardingSphere provides a data masking module that parses and intercepts user SQL, rewrites it according to user-defined masking configurations, and transparently performs encryption and decryption of fields, achieving seamless encrypted storage and query.

Masking Configuration Quick Start – Spring (Explicit Configuration)

Step 1: Add the required Maven dependency.

<!-- for spring namespace -->
<dependency>
    <groupId>org.apache.shardingsphere</groupId>
    <artifactId>sharding-jdbc-spring-namespace</artifactId>
    <version>${sharding-sphere.version}</version>
</dependency>

Step 2: Create an EncryptRuleConfiguration object before the data source is built. The example below configures AES encryption for two tables ( card_info and pay_order ) and several columns.

private EncryptRuleConfiguration getEncryptRuleConfiguration() {
    Properties props = new Properties();
    // AES algorithm requires a key
    props.setProperty("aes.key.value", aeskey);
    EncryptorRuleConfiguration encryptorConfig = new EncryptorRuleConfiguration("AES", props);

    EncryptRuleConfiguration encryptRuleConfig = new EncryptRuleConfiguration();
    encryptRuleConfig.getEncryptors().put("aes", encryptorConfig);

    // START: card_info table masking configuration
    {
        EncryptColumnRuleConfiguration columnConfig1 = new EncryptColumnRuleConfiguration("", "name", "", "aes");
        EncryptColumnRuleConfiguration columnConfig2 = new EncryptColumnRuleConfiguration("", "id_no", "", "aes");
        EncryptColumnRuleConfiguration columnConfig3 = new EncryptColumnRuleConfiguration("", "finshell_card_no", "", "aes");
        Map
columnConfigMaps = new HashMap<>();
        columnConfigMaps.put("name", columnConfig1);
        columnConfigMaps.put("id_no", columnConfig2);
        columnConfigMaps.put("finshell_card_no", columnConfig3);
        EncryptTableRuleConfiguration tableConfig = new EncryptTableRuleConfiguration(columnConfigMaps);
        encryptRuleConfig.getTables().put("card_info", tableConfig);
    }
    // END: card_info table masking configuration

    // START: pay_order table masking configuration
    {
        EncryptColumnRuleConfiguration columnConfig1 = new EncryptColumnRuleConfiguration("", "card_no", "", "aes");
        Map
columnConfigMaps = new HashMap<>();
        columnConfigMaps.put("card_no", columnConfig1);
        EncryptTableRuleConfiguration tableConfig = new EncryptTableRuleConfiguration(columnConfigMaps);
        encryptRuleConfig.getTables().put("pay_order", tableConfig);
    }
    // END: pay_order table masking configuration

    log.info("Masking configuration built: {}", encryptRuleConfig);
    return encryptRuleConfig;
}

Explanation:

The four parameters of EncryptColumnRuleConfiguration are plainColumn , cipherColumn , assistedQueryColumn , and encryptorName . For new systems only the cipher column needs to be set, so plainColumn is left empty.

EncryptTableRuleConfiguration receives a map where the key is the logical column name (the column used in SQL) and the value is the corresponding EncryptColumnRuleConfiguration . ShardingSphere rewrites SQL based on this mapping.

Step 3: Wrap the original data source with ShardingSphere’s encrypt data source.

@Bean("tradePlatformDataSource")
public DataSource dataSource(@Qualifier("druidDataSource") DataSource ds) throws SQLException {
    return EncryptDataSourceFactory.createDataSource(ds, getEncryptRuleConfiguration(), new Properties());
}

Result: All insert, update, and select operations on the configured columns are automatically encrypted or decrypted without code changes.

Masking Configuration Quick Start – Spring Boot Version

Step 1: Add the following Maven dependencies.

<!-- for spring boot -->
<dependency>
    <groupId>org.apache.shardingsphere</groupId>
    <artifactId>sharding-jdbc-spring-boot-starter</artifactId>
    <version>${sharding-sphere.version}</version>
</dependency>

<!-- for spring namespace -->
<dependency>
    <groupId>org.apache.shardingsphere</groupId>
    <artifactId>sharding-jdbc-spring-namespace</artifactId>
    <version>${sharding-sphere.version}</version>
</dependency>

Step 2: Configure encryption in application.properties (or application.yml ).

spring.shardingsphere.datasource.name=ds
spring.shardingsphere.datasource.ds.type=com.alibaba.druid.pool.DruidDataSource
spring.shardingsphere.datasource.ds.driver-class-name=com.mysql.jdbc.Driver
spring.shardingsphere.datasource.ds.url=jdbc:mysql://host:3306/db
spring.shardingsphere.datasource.ds.username=root
spring.shardingsphere.datasource.ds.password=secret

# Default AES encryptor
spring.shardingsphere.encrypt.encryptors.encryptor_aes.type=aes
spring.shardingsphere.encrypt.encryptors.encryptor_aes.props.aes.key.value=hkiqAXU6Ur5fixGHaO4Lb2V2ggausYwW

# card_info table column encryption
spring.shardingsphere.encrypt.tables.card_info.columns.name.cipherColumn=name
spring.shardingsphere.encrypt.tables.card_info.columns.name.encryptor=encryptor_aes
spring.shardingsphere.encrypt.tables.card_info.columns.id_no.cipherColumn=id_no
spring.shardingsphere.encrypt.tables.card_info.columns.id_no.encryptor=encryptor_aes
spring.shardingsphere.encrypt.tables.card_info.columns.finshell_card_no.cipherColumn=finshell_card_no
spring.shardingsphere.encrypt.tables.card_info.columns.finshell_card_no.encryptor=encryptor_aes

# pay_order table column encryption
spring.shardingsphere.encrypt.tables.pay_order.columns.card_no.cipherColumn=card_no
spring.shardingsphere.encrypt.tables.pay_order.columns.card_no.encryptor=encryptor_aes

After these configurations, ShardingSphere automatically handles encryption and decryption for the specified columns.

Source: https://sourl.cn/uLCCPw

JavaSpringShardingSpheredatabase securitydata encryptionSQL Masking
Architect's Tech Stack
Written by

Architect's Tech Stack

Java backend, microservices, distributed systems, containerized programming, and more.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment