Data "one click desensitization" based on Sharding Sphere

Name mobile phone numbers are often stored in databases, such as ID number, bank card number, name and phone number. Such information is usually required to store encrypted storage to meet compliance requirements according to compliance requirements.

Pain point 1:

The usual solution is to manually encrypt and insert the corresponding encrypted fields when writing SQL, and manually decrypt them before using them during query. This method is feasible, but it is very inconvenient and cumbersome to use, which makes the daily business development closely coupled with the details of storage compliance

Pain point 2:

For some systems that did not realize compliance desensitization at the beginning in order to go online quickly, how to quickly make the existing business meet the compliance requirements and minimize the transformation of the original system. (usually, this process includes at least: 1. Storage of new desensitized columns; 2. Simultaneous data migration; 3. Business code compatibility logic, etc.).

There is a data desensitization module under Apache ShardingSphere, which integrates common data desensitization functions. Its basic principle is to parse and intercept the SQL input by the user, and rewrite the SQL by relying on the user's desensitization configuration, so as to realize the encryption of the original field and the decryption of the encrypted field. Finally, encryption, decryption, storage and query without feeling to users are realized. In addition, we will pay attention to the official account of ape number technology column, and reply to the keyword "9527" for free access to Spring Cloud Alibaba actual video.

Desensitization Quick Start - Spring display configuration:

The following describes how to quickly make the system support desensitization configuration based on Spring.

1. Introduce dependency

<!-- for spring namespace -->

2. Create desensitization configuration rule object

Before creating a data source, you need to prepare an EncryptRuleConfiguration for desensitization configuration. The following is an example of two table cards in the same data source_ info,pay_ AES encryption is performed in different fields of order

private EncryptRuleConfiguration getEncryptRuleConfiguration() {
Properties props = new Properties();

//The built-in aes algorithm needs
props.setProperty("aes.key.value", aeskey);
EncryptorRuleConfiguration encryptorConfig = new EncryptorRuleConfiguration("AES", props);

//Custom algorithm
//props.setProperty("", aeskey);
//EncryptorRuleConfiguration encryptorConfig = new EncryptorRuleConfiguration("QB-FINANCE-AES", props);

EncryptRuleConfiguration encryptRuleConfig = new EncryptRuleConfiguration();
encryptRuleConfig.getEncryptors().put("aes", encryptorConfig);

//START:   card_info   Desensitization configuration of table
    EncryptColumnRuleConfiguration columnConfig1 = new EncryptColumnRuleConfiguration("", "name", "", "aes");
    EncryptColumnRuleConfiguration columnConfig2 = new EncryptColumnRuleConfiguration("", "id_no", "", "aes");
    EncryptColumnRuleConfiguration columnConfig3 = new EncryptColumnRuleConfiguration("", "finshell_card_no", "", "aes");
    Map<String, EncryptColumnRuleConfiguration> columnConfigMaps = new HashMap<>();
    columnConfigMaps.put("name", columnConfig1);
    columnConfigMaps.put("id_no", columnConfig2);
    columnConfigMaps.put("finshell_card_no", columnConfig3);
    EncryptTableRuleConfiguration tableConfig = new EncryptTableRuleConfiguration(columnConfigMaps);
    encryptRuleConfig.getTables().put("card_info", tableConfig);
//END:   card_info   Desensitization configuration of table

//START:   pay_order   Desensitization configuration of table
    EncryptColumnRuleConfiguration columnConfig1 = new EncryptColumnRuleConfiguration("", "card_no", "", "aes");
    Map<String, EncryptColumnRuleConfiguration> columnConfigMaps = new HashMap<>();
    columnConfigMaps.put("card_no", columnConfig1);
    EncryptTableRuleConfiguration tableConfig = new EncryptTableRuleConfiguration(columnConfigMaps);
    encryptRuleConfig.getTables().put("pay_order", tableConfig);
}"Desensitization configuration construction completed:{} ", encryptRuleConfig);
return encryptRuleConfig;



  1. When creating EncryptColumnRuleConfiguration, there are four parameters. The first two parameters are divided into tables called plainColumn and cipherColumn, which means the real two columns (name column and desensitized column) in the database storage. For the new system, you only need to set the desensitized column. The above example is that plainColumn is "".

  2. When creating EncryptTableRuleConfiguration, you need to pass in a map. The value stored in this map is #1 the EncryptColumnRuleConfiguration described in, and its key is a logical column. For the new system, this logical column is the real desensitization column. When Sharding Shpere intercepts SQL rewriting, it will map the logical column into a name document column or desensitization column according to the user's configuration The column (default) is the following example

3. Use the Sharding Sphere data source for management

Wrap the original data source

@Bean("tradePlatformDataSource") public DataSource dataSource(@Qualifier("druidDataSource") DataSource ds) throws SQLException {    return EncryptDataSourceFactory.createDataSource(ds, getEncryptRuleConfiguration(), new Properties()); }

Desensitization configuration Quick Start - Spring Boot version:

The following steps are managed using Spring Boot, which can be solved only with configuration files:

1. Introduce dependency

<!-- for spring boot -->


<!-- for spring namespace -->

2.Spring configuration file

#  Default AES encryptor

#  card_info   full name   AES encryption

#  card_info   ID   AES encryption

#  card_info   Bank card No   AES encryption

#  pay_order   Bank card No   AES encryption


Tags: Spring Spring Boot mvc

Posted on Wed, 24 Nov 2021 22:15:35 -0500 by d3ad1ysp0rk