Skip to content
Make the protection/encryption of personal data easier when storing it using jackson or spring-data
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


The GDPR encourages us to build our applications secure by default:

Companies/organisations are encouraged to implement technical and organisational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start (‘data protection by design’) [...]

One measure to protect personal data is to encrypt it at rest. Of course this can be done at the file system level, e.g. when using a crpypt file system for database volumes. But this won't protect the data if an attacker gains access to the mounted file system or for example to the database itself, e.g. via SQL injection or stolen credentials.

So to add a level of security you have apply data encryption at rest on the application level.

This project tries to make application level encryption easier by providing annotations to simply mark entity attributes as personal data.

Lets have a look at how to do this for spring-data-mongodb: The follwing example Customer class inspired by the Spring Data mongo db getting started guide:

public class Customer {
    public String id;
    public String email;
    public String firstName;
    public String lastName;

    public Customer() {}

    Customer(String email, String firstName, String lastName) { = email;
        this.firstName = firstName;
        this.lastName = lastName;

The first and the last name are marked as @PersonalData thus are not stored in plain text (we will lok at the e-mail address later). The resulting BSON looks like this:

  "_id": ObjectId("5d5cfa3c184a3d77e6a3121c"),
  "email": "",
  "_class": "de.neuland.persistentprivacy.mongodb.example.Customer",
  "_personal_data": {
    "data": "7lKNVT5FoBO9mb4HOP5SuZ+v7QkzxZ4KG+3SqtGn4fMtVHAJLOt+EgAu01CztV3ufxhljDGI0X0LQUo=",
    "iv": "gzY1cZvXJoLd7nRv",
    "keyRef": "key"

The actual encryption is done by registering a PrivacyProtectionListener: in your configuration:

public class ExampleConfiguration {

    private KeyRepository keyRepository = new KeyRepository() {
        byte[] testKeyData = Base64.getDecoder().decode("SXrCuhJwJSbLif8+Ol6wwe5gqHYnM7H6DX2PmBMg8WM=");
        private Key key = new SecretKeySpec(testKeyData, "AES");

        public Key keyForName(String keyRef) {
            return key;

        public KeyData defaultAesKey() {
            return new KeyData("key",key);

    public ApplicationListener<MongoMappingEvent<?>> privacyProtectionListener() {
        CryptoService cryptoService = new ExampleCryptoService(keyRepository);
        ObjectMapper personalDataObjectMapper = new ObjectMapper();
        return new PrivacyProtectionListener(cryptoService, personalDataObjectMapper);

You can’t perform that action at this time.