Seamless Data Encryption with ShardingSphere: A Spring Guide
This article explains why encrypting sensitive customer data in databases is essential, outlines common pain points, and demonstrates how Apache ShardingSphere’s data‑desensitization module can be quickly configured in Spring (XML and Boot) to provide transparent AES encryption and decryption without altering business code.
In real business scenarios, databases often store sensitive customer information such as ID numbers, bank card numbers, names, and phone numbers, which must be encrypted to satisfy compliance requirements.
Pain Point 1
Typical solutions require manually encrypting fields in SQL statements and decrypting them on query, which is cumbersome and tightly couples business logic with compliance details.
Pain Point 2
For systems launched without encryption, a fast way is needed to add desensitization columns, migrate existing data, and add compatibility logic with minimal changes.
Apache ShardingSphere provides a data‑desensitization module that intercepts and rewrites SQL based on user‑defined rules, enabling transparent encryption and decryption of fields.
Quick Start – Spring XML Configuration
Step 1: Add the required Maven dependency.
<!-- for spring namespace -->
<dependency>
<groupId>org.apache.shardingsphere</groupId>
<artifactId>sharding-jdbc-spring-namespace</artifactId>
<version>${sharding-sphere.version}</version>
</dependency>Step 2: Create an EncryptRuleConfiguration object. The example encrypts columns in the card_info and pay_order tables using AES.
private EncryptRuleConfiguration getEncryptRuleConfiguration() {
Properties props = new Properties();
// AES algorithm requires a key
props.setProperty("aes.key.value", aeskey);
EncryptorRuleConfiguration encryptorConfig = new EncryptorRuleConfiguration("AES", props);
EncryptRuleConfiguration encryptRuleConfig = new EncryptRuleConfiguration();
encryptRuleConfig.getEncryptors().put("aes", encryptorConfig);
// card_info table configuration
{
EncryptColumnRuleConfiguration columnConfig1 = new EncryptColumnRuleConfiguration("", "name", "", "aes");
EncryptColumnRuleConfiguration columnConfig2 = new EncryptColumnRuleConfiguration("", "id_no", "", "aes");
EncryptColumnRuleConfiguration columnConfig3 = new EncryptColumnRuleConfiguration("", "finshell_card_no", "", "aes");
Map<String, EncryptColumnRuleConfiguration> columnConfigMaps = new HashMap<>();
columnConfigMaps.put("name", columnConfig1);
columnConfigMaps.put("id_no", columnConfig2);
columnConfigMaps.put("finshell_card_no", columnConfig3);
EncryptTableRuleConfiguration tableConfig = new EncryptTableRuleConfiguration(columnConfigMaps);
encryptRuleConfig.getTables().put("card_info", tableConfig);
}
// pay_order table configuration
{
EncryptColumnRuleConfiguration columnConfig1 = new EncryptColumnRuleConfiguration("", "card_no", "", "aes");
Map<String, EncryptColumnRuleConfiguration> columnConfigMaps = new HashMap<>();
columnConfigMaps.put("card_no", columnConfig1);
EncryptTableRuleConfiguration tableConfig = new EncryptTableRuleConfiguration(columnConfigMaps);
encryptRuleConfig.getTables().put("pay_order", tableConfig);
}
log.info("Desensitization configuration built: {}", encryptRuleConfig);
return encryptRuleConfig;
}Note:
When creating EncryptColumnRuleConfiguration, the first two parameters are plainColumn and cipherColumn. For new systems only the cipher column needs to be set, so plainColumn is left empty.
The map passed to EncryptTableRuleConfiguration uses logical column names as keys; ShardingSphere rewrites SQL to map these to the actual stored columns.
Quick Start – Spring Boot
Step 1: Add dependencies for Spring Boot and the Spring namespace.
<!-- for spring boot -->
<dependency>
<groupId>org.apache.shardingsphere</groupId>
<artifactId>sharding-jdbc-spring-boot-starter</artifactId>
<version>${sharding-sphere.version}</version>
</dependency>
<!-- for spring namespace -->
<dependency>
<groupId>org.apache.shardingsphere</groupId>
<artifactId>sharding-jdbc-spring-namespace</artifactId>
<version>${sharding-sphere.version}</version>
</dependency>Step 2: Configure encryption in application.properties:
spring.shardingsphere.datasource.name=ds
spring.shardingsphere.datasource.ds.type=com.alibaba.druid.pool.DruidDataSource
spring.shardingsphere.datasource.ds.driver-class-name=com.mysql.jdbc.Driver
spring.shardingsphere.datasource.ds.url=xxxxxxxxxxxxx
spring.shardingsphere.datasource.ds.username=xxxxxxx
spring.shardingsphere.datasource.ds.password=xxxxxxxxxxxx
# Default AES encryptor
spring.shardingsphere.encrypt.encryptors.encryptor_aes.type=aes
spring.shardingsphere.encrypt.encryptors.encryptor_aes.props.aes.key.value=hkiqAXU6Ur5fixGHaO4Lb2V2ggausYwW
# card_info table encryption
spring.shardingsphere.encrypt.tables.card_info.columns.name.cipherColumn=name
spring.shardingsphere.encrypt.tables.card_info.columns.name.encryptor=encryptor_aes
spring.shardingsphere.encrypt.tables.card_info.columns.id_no.cipherColumn=id_no
spring.shardingsphere.encrypt.tables.card_info.columns.id_no.encryptor=encryptor_aes
spring.shardingsphere.encrypt.tables.card_info.columns.finshell_card_no.cipherColumn=finshell_card_no
spring.shardingsphere.encrypt.tables.card_info.columns.finshell_card_no.encryptor=encryptor_aes
# pay_order table encryption
spring.shardingsphere.encrypt.tables.pay_order.columns.card_no.cipherColumn=card_no
spring.shardingsphere.encrypt.tables.pay_order.columns.card_no.encryptor=encryptor_aesSigned-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.