Encryption & Decryption with Crypto

Platform security is important. Creating a composite application for the AppExchange, developing integrations with open authentication (OAuth) or simply integrating salesforce with an internal system/platform can make your security team nervous. However, the Salesforce Crypto class should put your security folks at ease.

We use Salesforce encryption / decryption logic on a daily basis with many of our applications. For example, our Currency Management Application communicates between the client Salesforce organization, our company Salesforce organization and our interactiveties.com web servers. In order to make sure our service is communicating between platforms properly and without issue, we include encrypted keys in our request/response logic. This means can verify data integrity and prevent unauthorized or malicious activity.

The point of this post is to familiarize you with the Crypto class and provide you with the information you need to make use of this class as it may be useful for you as you build on the platform.

/*
	Created by: Greg Hacic
	Last Update: 9 February 2017 by Greg Hacic
	Questions?: greg@interactiveties.com
	
	Notes:
		- methods for encrypting Strings and decrypting ciphers using Advanced Encryption Standard (AES) keys
		- currently supported algorithms: AES128, AES192 and AES256
*/
public class encryptionCodeShare() {
	
	private String dataToBeEncrypted = 'This is a long string that we encrypt using Advanced Encryption Standards'; //string to be encrypted
	private Blob dataToBeEncryptedAsBlob = Blob.valueOf(dataToBeEncrypted); //converts the string to a blob
	private Blob crypto128Key = Crypto.generateAesKey(128); //Salesforce generated 128 bit AES key
	private String string192Key = 'ro7jW2ndy2Z/1SBpT5aLEbDiP1nPKKLa'; //Base64-encoded string representation of a private 192 bit AES key which was generated outside of Salesforce > for demonstration purposes only - you should not hardcode this key in your Apex code
	private String stringIV = '01234567Xgfedcba'; //string representation of 128 bit initialization vector 
	private Blob crypto192Key = EncodingUtil.base64Decode(string192Key); //converts the Base64-encoded string192Key String to a Blob representing its normal form
	private Blob iv = Blob.valueOf(stringIV); //initialization vector - an arbitrary string that can be used along with a secret key for data encryption
	
	//encryption using AES128, Salesforce generated private key and initialization vector
	public Blob encrypt128() {
		Blob returnCipher = Crypto.encryptWithManagedIV('AES128', crypto128Key, dataToBeEncryptedAsBlob); //encrypts the Blob using the AES128 algorithm and 128 bit private key
		return returnCipher; //return the Blob
	}
	
	//decryption using AES128, Salesforce generated private key and initialization vector
	public String decrypt128() {
		Blob encryptedCipher = encrypt128(); //encrypt the dataToBeEncrypted string
		Blob decryptedCipher = Crypto.decryptWithManagedIV('AES128', crypto128Key, encryptedCipher); //decrypt the cipher using the AES128 algorithm and 128 bit private key
		return decryptedCipher.toString(); //convert the blob to a string and return
	}
	
	//encryption using AES192, externally generated private key and initialization vector
	public Blob encrypt192() {
		Blob returnCipher = Crypto.encrypt('AES192', crypto192Key, iv, dataToBeEncryptedAsBlob); //encrypts the Blob using the AES192 algorithm, 192 bit private key and initialization vector
		return returnCipher; //return the Blob
	}
	
	//decryption using AES192, externally generated private key and initialization vector
	public String decrypt192() {
		Blob encryptedCipher = encrypt192(); //encrypt the dataToBeEncrypted string
		Blob decryptedCipher = Crypto.decrypt('AES192', crypto192Key, iv, encryptedCipher); //decrypt the cipher using the AES192 algorithm, 192 bit private key and initialization vector
		return decryptedCipher.toString(); //convert the blob to a string and return
	}

}

The example illustrates two ways to use a private key. The AES128 methods use Salesforce to generate the private key and initialization vector. The AES192 methods use a private key that was generated outside of Salesforce. Remember, any private keys generated outside of Salesforce should not be stored in the Apex class as demonstrated above. Use a custom setting or another method to access the private key.

The best way to learn is by trial and error. This should give you a good place to begin iterating over variations of the concepts.

Automated Exchange Rates in Salesforce.com

Reduce Repetitive Tasks, Eliminate Errors & Free Up Your Administrators.

Birthday Reminders for Salesforce.com

It might lead to a sale. Or it might make you feel good.