Apex & AES256 Bit Encryption
Advanced Encryption Standard 256 bit encryption is an encryption algorithm, or cipher, that is the current industry standard used to encrypt/decrypt files and data transmitted over secure file transfer protocols like HTTPS, FTPS, SFTP etc.
If you want to learn more about AES256 bit encryption, you can read more here and all over the Internet.
While complicated on a number of levels, in the era of high-level programming languages and frameworks, encryption is not difficult to implement. Apex provides a class — the Crypto Class — which obfuscates most of the complexity and allows us to quickly and efficiently encrypt data as needed.
The documentation is relatively straight forward, but we’ll look at an example and follow up with a way to store sensitive data, such as the private key, using Salesforce’s Custom Settings.
We need 3 things to encrypt our data:
- The advanced encryption standard algorithm
- A key as a binary object
- The data as a binary object
The AES Algorithm
Apex handles 3 industry standard algorithms: 128 bit, 192 bit, 256 bit. You can use any of the three depending on your project requirements. According to the documentation, “The length of privateKey must match the specified algorithm: 128 bits, 192 bits, or 256 bits, which is 16, 24, or 32 bytes, respectively.” For our example, we’ll use AES256
The Key
The key is sometimes referred to as a secret key. The key should be kept secret as it is the “key” to decrypting the data. With the key, anyone can decrypt the data. Without the key, no one can decrypt the data, even you. Apex provides a method for generating an Advanced Encryption Standard key:
Blob key = Crypto.generateAesKey(256);
This generates a key ready to be passed to the encryption method.
You can also generate your own key. In my current project, the key was issued by an API provider, but you can use a String and convert it to a Blob, provided it is the right size:
String secretKey = '1234567890abcdef1234567890abcdef';
Blob key = Blob.valueOf(secretKey);
The Data
The data also needs to be a Blob data type. This is easy:
String data = 'some data to encrypt/decrypt';
Blob data = Blob.valueOf(data);
Encryption
Apex has several methods for encrypting and decrypting. We’ll use encryptWtihManagedIV()
which “Encrypts the Blob… using the specified algorithm and private key.”
We just need to pass in the algorithm, key and data:
Blob encryptedData = Crypto.encryptWithManagedIV('AES128',
key,
data
);
Encrypt/Decrypt
Decryption works basically the same was as encryption. When we put it all together it looks like this:
String secretKey = '1234567890abcdef1234567890abcdef';
Blob key = Blob.valueOf(secretKey);
=> 32 bits
Blob data = Blob.valueOf('some data to encrypt/decrypt');
=> 20 bitsBlob encryptedData = Crypto.encryptWithManagedIV('AES256',
key,
data
);
=> 48 bitsBlob decryptedData = Crypto.decryptWithManagedIV('AES256',
key,
encryptedData
);
=> 20 bitsString decryptedDataString = decryptedData.toString();
=> 'some data to encrypt/decrypt'
Conclusion
Encryption is a complicated subject, but when required, Apex allows us to handle it without much complexity.
We hope this helps.
Please feel free to leave kind comments, suggestions, corrections and better solutions!