The latest articles on DEV Community by Clinvio (@clinvio). https://dev.to/clinvio https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3991551%2F321d46a0-a8fd-4ad5-8c1c-e1f2e520a1c5.jpg https://dev.to/clinvio en Clinvio Thu, 18 Jun 2026 21:40:07 +0000 https://dev.to/clinvio/how-to-implement-field-level-aes-256-gcm-encryption-in-spring-boot-and-why-we-packaged-it-into-one-304d https://dev.to/clinvio/how-to-implement-field-level-aes-256-gcm-encryption-in-spring-boot-and-why-we-packaged-it-into-one-304d <p>If you've ever had to encrypt a <code>nationalId</code>, a <code>creditCardNumber</code>, or a <code>medicalRecord</code> field in a Spring Boot entity, you already know the drill. You write an <code>AttributeConverter</code>, you wire up a <code>Cipher</code> instance, you generate an IV, you figure out where the key lives, you get the GCM tag handling wrong once, you fix it, and three weeks later you finally trust it enough to ship.</p> <p>We've done this enough times — across healthcare and fintech projects — that we stopped doing it manually. This post walks through the full implementation from scratch, the mistakes that are easy to make along the way, and then shows the one-annotation version we eventually packaged into <a href="https://clinvio.hu/nucleus" rel="noopener noreferrer">Nucleus</a>, our open-core Java framework.</p> <h2> Why GCM, and not just AES-CBC </h2> <p>If you search "AES encryption Java" you'll find a lot of CBC-mode examples. Don't use them for new code. CBC gives you confidentiality but no integrity check — an attacker can flip bits in the ciphertext and you won't know it happened until something downstream breaks in a weird way, or worse, doesn't break at all.</p> <p>GCM (Galois/Counter Mode) gives you both confidentiality and authentication in one pass. It produces an authentication tag alongside the ciphertext, and decryption fails loudly if either the ciphertext or the tag has been tampered with. It's also the mode behind TLS 1.3, which is a reasonable signal that it's held up to scrutiny. The relevant specification is NIST SP 800-38D.</p> <h2> Building it by hand </h2> <p>Here's a minimal, correct implementation. This is the version you'd write before you have a framework to lean on.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="kd">class</span> <span class="nc">AesGcmEncryptor</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">String</span> <span class="no">ALGORITHM</span> <span class="o">=</span> <span class="s">"AES/GCM/NoPadding"</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="kt">int</span> <span class="no">GCM_TAG_LENGTH_BITS</span> <span class="o">=</span> <span class="mi">128</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="kt">int</span> <span class="no">GCM_IV_LENGTH_BYTES</span> <span class="o">=</span> <span class="mi">12</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">SecretKey</span> <span class="n">key</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">AesGcmEncryptor</span><span class="o">(</span><span class="nc">SecretKey</span> <span class="n">key</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">key</span> <span class="o">=</span> <span class="n">key</span><span class="o">;</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">encrypt</span><span class="o">(</span><span class="nc">String</span> <span class="n">plaintext</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">iv</span> <span class="o">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="o">[</span><span class="no">GCM_IV_LENGTH_BYTES</span><span class="o">];</span> <span class="nc">SecureRandom</span><span class="o">.</span><span class="na">getInstanceStrong</span><span class="o">().</span><span class="na">nextBytes</span><span class="o">(</span><span class="n">iv</span><span class="o">);</span> <span class="nc">Cipher</span> <span class="n">cipher</span> <span class="o">=</span> <span class="nc">Cipher</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="no">ALGORITHM</span><span class="o">);</span> <span class="nc">GCMParameterSpec</span> <span class="n">spec</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">GCMParameterSpec</span><span class="o">(</span><span class="no">GCM_TAG_LENGTH_BITS</span><span class="o">,</span> <span class="n">iv</span><span class="o">);</span> <span class="n">cipher</span><span class="o">.</span><span class="na">init</span><span class="o">(</span><span class="nc">Cipher</span><span class="o">.</span><span class="na">ENCRYPT_MODE</span><span class="o">,</span> <span class="n">key</span><span class="o">,</span> <span class="n">spec</span><span class="o">);</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">ciphertext</span> <span class="o">=</span> <span class="n">cipher</span><span class="o">.</span><span class="na">doFinal</span><span class="o">(</span><span class="n">plaintext</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(</span><span class="nc">StandardCharsets</span><span class="o">.</span><span class="na">UTF_8</span><span class="o">));</span> <span class="c1">// Prepend the IV so it travels with the ciphertext</span> <span class="nc">ByteBuffer</span> <span class="n">buffer</span> <span class="o">=</span> <span class="nc">ByteBuffer</span><span class="o">.</span><span class="na">allocate</span><span class="o">(</span><span class="n">iv</span><span class="o">.</span><span class="na">length</span> <span class="o">+</span> <span class="n">ciphertext</span><span class="o">.</span><span class="na">length</span><span class="o">);</span> <span class="n">buffer</span><span class="o">.</span><span class="na">put</span><span class="o">(</span><span class="n">iv</span><span class="o">).</span><span class="na">put</span><span class="o">(</span><span class="n">ciphertext</span><span class="o">);</span> <span class="k">return</span> <span class="nc">Base64</span><span class="o">.</span><span class="na">getEncoder</span><span class="o">().</span><span class="na">encodeToString</span><span class="o">(</span><span class="n">buffer</span><span class="o">.</span><span class="na">array</span><span class="o">());</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">GeneralSecurityException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">EncryptionException</span><span class="o">(</span><span class="s">"Failed to encrypt field"</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">decrypt</span><span class="o">(</span><span class="nc">String</span> <span class="n">encoded</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">decoded</span> <span class="o">=</span> <span class="nc">Base64</span><span class="o">.</span><span class="na">getDecoder</span><span class="o">().</span><span class="na">decode</span><span class="o">(</span><span class="n">encoded</span><span class="o">);</span> <span class="nc">ByteBuffer</span> <span class="n">buffer</span> <span class="o">=</span> <span class="nc">ByteBuffer</span><span class="o">.</span><span class="na">wrap</span><span class="o">(</span><span class="n">decoded</span><span class="o">);</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">iv</span> <span class="o">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="o">[</span><span class="no">GCM_IV_LENGTH_BYTES</span><span class="o">];</span> <span class="n">buffer</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="n">iv</span><span class="o">);</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">ciphertext</span> <span class="o">=</span> <span class="k">new</span> <span class="kt">byte</span><span class="o">[</span><span class="n">buffer</span><span class="o">.</span><span class="na">remaining</span><span class="o">()];</span> <span class="n">buffer</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="n">ciphertext</span><span class="o">);</span> <span class="nc">Cipher</span> <span class="n">cipher</span> <span class="o">=</span> <span class="nc">Cipher</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="no">ALGORITHM</span><span class="o">);</span> <span class="nc">GCMParameterSpec</span> <span class="n">spec</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">GCMParameterSpec</span><span class="o">(</span><span class="no">GCM_TAG_LENGTH_BITS</span><span class="o">,</span> <span class="n">iv</span><span class="o">);</span> <span class="n">cipher</span><span class="o">.</span><span class="na">init</span><span class="o">(</span><span class="nc">Cipher</span><span class="o">.</span><span class="na">DECRYPT_MODE</span><span class="o">,</span> <span class="n">key</span><span class="o">,</span> <span class="n">spec</span><span class="o">);</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">plaintext</span> <span class="o">=</span> <span class="n">cipher</span><span class="o">.</span><span class="na">doFinal</span><span class="o">(</span><span class="n">ciphertext</span><span class="o">);</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">String</span><span class="o">(</span><span class="n">plaintext</span><span class="o">,</span> <span class="nc">StandardCharsets</span><span class="o">.</span><span class="na">UTF_8</span><span class="o">);</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">GeneralSecurityException</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">EncryptionException</span><span class="o">(</span><span class="s">"Failed to decrypt field — data may be tampered or corrupted"</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>A few details that matter and are easy to skip past:</p> <ul> <li> <strong>The IV must be random and unique per encryption call, but it doesn't need to be secret.</strong> Prepending it to the ciphertext (as above) is the standard approach — you need it to decrypt, and it carries no information about the key.</li> <li> <strong>12 bytes (96 bits) is the recommended IV length for GCM.</strong> Using a different length is technically possible but changes the internal computation in ways that reduce the security margin. Don't deviate without a specific reason.</li> <li> <strong>Never reuse an IV with the same key.</strong> This is the one mistake that actually breaks GCM's security guarantees — IV reuse can leak the authentication key. If you're generating IVs randomly with <code>SecureRandom</code> per call, this is a non-issue at realistic volumes.</li> <li> <strong><code>SecureRandom.getInstanceStrong()</code></strong>, not <code>new Random()</code>. This trips people up constantly. <code>Random</code> is not cryptographically secure and predictable IVs undermine the whole scheme.</li> </ul> <h2> Wiring it into JPA </h2> <p>The encryptor above is useless until it's actually applied to entity fields. The idiomatic way is a JPA <code>AttributeConverter</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Converter</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">EncryptedStringConverter</span> <span class="kd">implements</span> <span class="nc">AttributeConverter</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">AesGcmEncryptor</span> <span class="n">encryptor</span><span class="o">;</span> <span class="kd">public</span> <span class="nf">EncryptedStringConverter</span><span class="o">(</span><span class="nc">AesGcmEncryptor</span> <span class="n">encryptor</span><span class="o">)</span> <span class="o">{</span> <span class="k">this</span><span class="o">.</span><span class="na">encryptor</span> <span class="o">=</span> <span class="n">encryptor</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">convertToDatabaseColumn</span><span class="o">(</span><span class="nc">String</span> <span class="n">attribute</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">attribute</span> <span class="o">==</span> <span class="kc">null</span> <span class="o">?</span> <span class="kc">null</span> <span class="o">:</span> <span class="n">encryptor</span><span class="o">.</span><span class="na">encrypt</span><span class="o">(</span><span class="n">attribute</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">convertToEntityAttribute</span><span class="o">(</span><span class="nc">String</span> <span class="n">dbData</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">dbData</span> <span class="o">==</span> <span class="kc">null</span> <span class="o">?</span> <span class="kc">null</span> <span class="o">:</span> <span class="n">encryptor</span><span class="o">.</span><span class="na">decrypt</span><span class="o">(</span><span class="n">dbData</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Then on your entity:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Entity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">Patient</span> <span class="o">{</span> <span class="nd">@Id</span> <span class="kd">private</span> <span class="no">UUID</span> <span class="n">id</span><span class="o">;</span> <span class="nd">@Convert</span><span class="o">(</span><span class="n">converter</span> <span class="o">=</span> <span class="nc">EncryptedStringConverter</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">nationalId</span><span class="o">;</span> <span class="nd">@Convert</span><span class="o">(</span><span class="n">converter</span> <span class="o">=</span> <span class="nc">EncryptedStringConverter</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">diagnosis</span><span class="o">;</span> <span class="c1">// standard fields, no encryption needed</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">firstName</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p>This works. It's also the point where most teams stop, because it's "good enough" — and it is, functionally. But there are a few gaps that tend to surface a few months later:</p> <ul> <li> <strong>Key management is now manually wired through a constructor</strong>, which usually means it ends up in <code>application.yml</code> or, worse, hardcoded for "just this once" during a demo.</li> <li> <strong>There's no audit trail.</strong> If a regulator or auditor asks "who decrypted this patient's data and when," a plain <code>AttributeConverter</code> gives you nothing.</li> <li> <strong>Querying encrypted fields breaks.</strong> <code>WHERE nationalId = ?</code> no longer works because the database only sees ciphertext. Every team rediscovers this independently, usually in a sprint planning meeting that goes long.</li> <li><strong>You're now repeating this converter wiring on every sensitive field, in every entity, in every project.</strong></li> </ul> <p>None of these are hard problems individually. But solving all four, correctly, every time, across every project, is exactly the kind of thing that's worth doing once and reusing.</p> <h2> The one-annotation version </h2> <p>This is what we ended up building into Nucleus's encryption module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Entity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">Patient</span> <span class="kd">extends</span> <span class="nc">BaseEntity</span> <span class="o">{</span> <span class="nd">@SensitiveData</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">nationalId</span><span class="o">;</span> <span class="nd">@SensitiveData</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">diagnosis</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">firstName</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p><code>@SensitiveData</code> triggers AES-256-GCM encryption at the field level automatically — same algorithm, same IV handling, same NIST SP 800-38D-aligned implementation described above, but the boilerplate is gone. A few things it handles that the hand-rolled version above doesn't:</p> <ul> <li> <strong>Key management</strong> is pulled from a configured key provider rather than threaded through constructors. Key rotation is supported without a data migration.</li> <li> <strong>Deterministic lookup hashes</strong> are generated alongside the encrypted value for fields you need to query on, so <code>WHERE nationalId = ?</code>-style lookups keep working without decrypting the whole table.</li> <li> <strong>It plugs into the GDPR module</strong>, so encrypted fields are automatically eligible for the consent and retention policies tracked there — encryption and compliance aren't two separate systems you have to keep in sync.</li> </ul> <p>The annotation isn't doing anything magical — it's the same <code>AttributeConverter</code> pattern under the hood, generated and wired automatically based on what we kept rebuilding by hand across projects.</p> <h2> When you don't need any of this </h2> <p>If you're encrypting one or two fields in a side project, the hand-rolled <code>AesGcmEncryptor</code> above is genuinely fine — there's no need to pull in a framework for that. Where this starts to matter is when you have GDPR or HIPAA obligations across a real schema, multiple entities with sensitive fields, and an actual audit requirement. That's the point where doing it five times by hand starts costing more than the framework would.</p> <p>If you want to see the full module — including the key rotation flow and the GDPR integration — it's part of the open-core release:</p> <ul> <li>Docs: <a href="https://clinvio.hu/nucleus/docs" rel="noopener noreferrer">clinvio.hu/nucleus/docs</a> </li> <li>Source: open-core on GitHub (link in the repo)</li> </ul> <p>Happy to go deeper on the key rotation mechanics or the deterministic-hash lookup approach in the comments if anyone's curious — those are the two parts that generate the most questions when we walk through this internally.</p> java springboot security encryption