com.onec.security.SecretCipher

public final class SecretCipher extends Object

Encrypts/decrypts @Attribute(secret = true) values at rest with AES-256-GCM.

The key comes from configuration (onec.security.secret-key) — never hard-coded — and is SHA-256-hashed to a 256-bit AES key, so any passphrase length is accepted. Each ciphertext carries a fresh random 12-byte IV and is stored as "enc:" + base64(iv || ct).

Both operations are idempotent at the boundary: encrypt(java.lang.String) returns an already-encrypted value unchanged, and decrypt(java.lang.String) passes through any value lacking the enc: prefix (legacy plaintext). When no key is configured, the cipher is inert until a secret value is actually written/read, at which point it fails fast with a clear message.

Constructor Summary

Constructors

Constructor

Description

SecretCipher(String secretKey)
Method Summary

Modifier and Type

Method

Description

String

decrypt(String stored)

Decrypts a value produced by encrypt(java.lang.String); passes through null/blank and plaintext.

String

encrypt(String plaintext)

Encrypts plaintext; returns null/blank and already-encrypted input unchanged.

boolean

isConfigured()

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details
- SecretCipher
  
  public SecretCipher(String secretKey)
Method Details
- isConfigured
  
  public boolean isConfigured()
- encrypt
  
  public String encrypt(String plaintext)
  
  Encrypts plaintext; returns null/blank and already-encrypted input unchanged.
- decrypt
  
  public String decrypt(String stored)
  
  Decrypts a value produced by encrypt(java.lang.String); passes through null/blank and plaintext.

Class SecretCipher

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Details

SecretCipher

Method Details

isConfigured

encrypt

decrypt