Apex & AES256 Bit Encryption

Kris Sparks
3 min readNov 16, 2017

--

Advanced Encryption Standard 256 bit encryption is an encryption algorithm, or cipher, that is the current industry standard used to encrypt/decrypt files and data transmitted over secure file transfer protocols like HTTPS, FTPS, SFTP etc.

If you want to learn more about AES256 bit encryption, you can read more here and all over the Internet.

Screenshot of encrypt/decrypt code

While complicated on a number of levels, in the era of high-level programming languages and frameworks, encryption is not difficult to implement. Apex provides a class — the Crypto Class — which obfuscates most of the complexity and allows us to quickly and efficiently encrypt data as needed.

The documentation is relatively straight forward, but we’ll look at an example and follow up with a way to store sensitive data, such as the private key, using Salesforce’s Custom Settings.

We need 3 things to encrypt our data:

  1. The advanced encryption standard algorithm
  2. A key as a binary object
  3. The data as a binary object

The AES Algorithm

Apex handles 3 industry standard algorithms: 128 bit, 192 bit, 256 bit. You can use any of the three depending on your project requirements. According to the documentation, “The length of privateKey must match the specified algorithm: 128 bits, 192 bits, or 256 bits, which is 16, 24, or 32 bytes, respectively.” For our example, we’ll use AES256

The Key

The key is sometimes referred to as a secret key. The key should be kept secret as it is the “key” to decrypting the data. With the key, anyone can decrypt the data. Without the key, no one can decrypt the data, even you. Apex provides a method for generating an Advanced Encryption Standard key:

Blob key = Crypto.generateAesKey(256);

This generates a key ready to be passed to the encryption method.

You can also generate your own key. In my current project, the key was issued by an API provider, but you can use a String and convert it to a Blob, provided it is the right size:

String secretKey = '1234567890abcdef1234567890abcdef';
Blob key = Blob.valueOf(secretKey);

The Data

The data also needs to be a Blob data type. This is easy:

String data = 'some data to encrypt/decrypt';
Blob data = Blob.valueOf(data);

Encryption

Apex has several methods for encrypting and decrypting. We’ll use encryptWtihManagedIV() which “Encrypts the Blob… using the specified algorithm and private key.”

We just need to pass in the algorithm, key and data:

Blob encryptedData = Crypto.encryptWithManagedIV('AES128', 
key,
data
);

Encrypt/Decrypt

Decryption works basically the same was as encryption. When we put it all together it looks like this:

String secretKey = '1234567890abcdef1234567890abcdef';
Blob key = Blob.valueOf(secretKey);
=> 32 bits
Blob data = Blob.valueOf('some data to encrypt/decrypt');
=> 20 bits
Blob encryptedData = Crypto.encryptWithManagedIV('AES256',
key,
data
);
=> 48 bits
Blob decryptedData = Crypto.decryptWithManagedIV('AES256',
key,
encryptedData
);
=> 20 bits
String decryptedDataString = decryptedData.toString();
=> 'some data to encrypt/decrypt'

Conclusion

Encryption is a complicated subject, but when required, Apex allows us to handle it without much complexity.

We hope this helps.

Please feel free to leave kind comments, suggestions, corrections and better solutions!

--

--

Kris Sparks
Kris Sparks

Written by Kris Sparks

Software developer. Turing School alum.

Responses (1)