【架构实战】数据加密架构:传输加密+存储加密

heimeiyingwang2026-04-12 12:24

一、数据加密概述

数据加密是保护数据安全的重要手段:

加密场景:

  • 传输加密(HTTPS)
  • 存储加密(敏感数据)
  • 密钥管理

二、传输加密

1. HTTPS配置

java 复制代码 
@Configuration
public class SSLConfig {
    
    @Bean
    public TomcatServletWebServerFactory servletContainer() {
        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
        tomcat.setProtocol("org.apache.coyote.http11.Http11NioProtocol");
        
        SSL ssl = new SSL();
        ssl.setKeyStore("classpath:keystore.p12");
        ssl.setKeyStorePassword("password");
        ssl.setKeyStoreType("PKCS12");
        
        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
        connector.setScheme("https");
        connector.setSecure(true);
        connector.setPort(8443);
        connector.setProperty("sslProtocol", "TLS");
        
        tomcat.addAdditionalTomcatConnectors(connector);
        
        return tomcat;
    }
}

2. 证书配置

yaml 复制代码 
# application.yml
server:
  ssl:
    enabled: true
    key-store: classpath:keystore.p12
    key-store-password: password
    key-store-type: PKCS12
    key-alias: mycert

三、对称加密

1. AES加密

java 复制代码 
@Service
public class AESEncryptionService {
    
    private static final String ALGORITHM = "AES";
    private static final String TRANSFORMATION = "AES/ECB/PKCS5Padding";
    
    @Value("${encryption.aes.key}")
    private String secretKey;
    
    public String encrypt(String plaintext) {
        try {
            SecretKeySpec keySpec = new SecretKeySpec(
                secretKey.getBytes(), ALGORITHM);
            
            Cipher cipher = Cipher.getInstance(TRANSFORMATION);
            cipher.init(Cipher.ENCRYPT_MODE, keySpec);
            
            byte[] encrypted = cipher.doFinal(plaintext.getBytes());
            return Base64.getEncoder().encodeToString(encrypted);
            
        } catch (Exception e) {
            throw new RuntimeException("加密失败", e);
        }
    }
    
    public String decrypt(String ciphertext) {
        try {
            SecretKeySpec keySpec = new SecretKeySpec(
                secretKey.getBytes(), ALGORITHM);
            
            Cipher cipher = Cipher.getInstance(TRANSFORMATION);
            cipher.init(Cipher.DECRYPT_MODE, keySpec);
            
            byte[] decrypted = cipher.doFinal(
                Base64.getDecoder().decode(ciphertext));
            return new String(decrypted);
            
        } catch (Exception e) {
            throw new RuntimeException("解密失败", e);
        }
    }
}

2. 字段加密

java 复制代码 
@Component
public class FieldEncryptionConverter implements AttributeConverter<String, String> {
    
    @Autowired
    private AESEncryptionService encryptionService;
    
    @Override
    public String convertToDatabaseColumn(String attribute) {
        return StringUtils.isEmpty(attribute) ? 
            attribute : encryptionService.encrypt(attribute);
    }
    
    @Override
    public String convertToEntityAttribute(String dbData) {
        return StringUtils.isEmpty(dbData) ? 
            dbData : encryptionService.decrypt(dbData);
    }
}

四、非对称加密

1. RSA加密

java 复制代码 
@Service
public class RSAEncryptionService {
    
    public KeyPair generateKeyPair() throws NoSuchAlgorithmException {
        KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
        generator.initialize(2048);
        return generator.generateKeyPair();
    }
    
    public String encrypt(String plaintext, PublicKey publicKey) 
            throws Exception {
        Cipher cipher = Cipher.getInstance("RSA");
        cipher.init(Cipher.ENCRYPT_MODE, publicKey);
        
        byte[] encrypted = cipher.doFinal(plaintext.getBytes());
        return Base64.getEncoder().encodeToString(encrypted);
    }
    
    public String decrypt(String ciphertext, PrivateKey privateKey) 
            throws Exception {
        Cipher cipher = Cipher.getInstance("RSA");
        cipher.init(Cipher.DECRYPT_MODE, privateKey);
        
        byte[] decrypted = cipher.doFinal(
            Base64.getDecoder().decode(ciphertext));
        return new String(decrypted);
    }
}

2. 数字签名

java 复制代码 
@Service
public class SignatureService {
    
    public String sign(String data, PrivateKey privateKey) 
            throws Exception {
        Signature signature = Signature.getInstance("SHA256withRSA");
        signature.initSign(privateKey);
        signature.update(data.getBytes());
        
        return Base64.getEncoder().encodeToString(signature.sign());
    }
    
    public boolean verify(String data, String signatureStr, PublicKey publicKey) 
            throws Exception {
        Signature signature = Signature.getInstance("SHA256withRSA");
        signature.initVerify(publicKey);
        signature.update(data.getBytes());
        
        return signature.verify(Base64.getDecoder().decode(signatureStr));
    }
}

五、哈希加密

1. 密码哈希

java 复制代码 
@Service
public class PasswordHashService {
    
    public String hashPassword(String password) {
        return BCryptPasswordEncoder.encode(password);
    }
    
    public boolean verifyPassword(String password, String hashedPassword) {
        return new BCryptPasswordEncoder().matches(password, hashedPassword);
    }
}

2. 数据完整性

java 复制代码 
@Service
public class HashService {
    
    public String md5(String data) {
        return DigestUtils.md5Hex(data);
    }
    
    public String sha256(String data) {
        return DigestUtils.sha256Hex(data);
    }
    
    public String hmacSha256(String data, String key) {
        try {
            SecretKeySpec secretKey = new SecretKeySpec(
                key.getBytes(), "HmacSHA256");
            
            Mac mac = Mac.getInstance("HmacSHA256");
            mac.init(secretKey);
            
            byte[] hmac = mac.doFinal(data.getBytes());
            return Base64.getEncoder().encodeToString(hmac);
            
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}

六、密钥管理

1. 密钥轮换

java 复制代码 
@Service
public class KeyRotationService {
    
    @Value("${encryption.key.version}")
    private int currentVersion;
    
    public void rotateKey() throws Exception {
        // 1. 生成新密钥
        KeyPair newKeyPair = rsaService.generateKeyPair();
        
        // 2. 加密旧密钥的数据
        Map<Integer, String> encryptedKeys = new HashMap<>();
        // ... 使用新密钥加密旧密钥
        
        // 3. 存储新密钥
        keyStore.store(newKeyPair, currentVersion + 1);
        
        // 4. 更新版本号
        currentVersion++;
    }
}

2. 密钥托管

java 复制代码 
@Configuration
public class KMSConfig {
    
    @Bean
    public AWSSimpleSystemsManagement awsSSM() {
        return AWSSimpleSystemsManagementClientBuilder.defaultClient();
    }
}

@Service
public class KMSKeyService {
    
    @Autowired
    private AWSSimpleSystemsManagement awsSSM;
    
    public String getKey(String keyId) {
        GetParameterRequest request = new GetParameterRequest()
            .withName(keyId)
            .withWithDecryption(true);
        
        return awsSSM.getParameter(request).getParameter().getValue();
    }
}

七、敏感数据保护

1. 字段脱敏

java 复制代码 
@Component
public class SensitiveDataFilter {
    
    @SensitiveField(type = MaskingType.PHONE)
    public String maskPhone(String phone) {
        if (phone == null) return null;
        return phone.substring(0, 3) + "****" + phone.substring(7);
    }
    
    @SensitiveField(type = MaskingType.ID_CARD)
    public String maskIdCard(String idCard) {
        if (idCard == null) return null;
        return idCard.substring(0, 6) + "********" + idCard.substring(14);
    }
}

2. 全链路加密

java 复制代码 
@Component
public class EndToEndEncryptionService {
    
    // 端到端加密示例
    public String encryptForRecipient(String plaintext, String recipientPublicKey) 
            throws Exception {
        // 1. 生成随机对称密钥
        KeyGenerator keyGen = KeyGenerator.getInstance("AES");
        keyGen.init(256);
        SecretKey symmetricKey = keyGen.generateKey();
        
        // 2. 用对称密钥加密数据
        Cipher aesCipher = Cipher.getInstance("AES");
        aesCipher.init(Cipher.ENCRYPT_MODE, symmetricKey);
        byte[] encryptedData = aesCipher.doFinal(plaintext.getBytes());
        
        // 3. 用接收者公钥加密对称密钥
        Cipher rsaCipher = Cipher.getInstance("RSA");
        rsaCipher.init(Cipher.ENCRYPT_MODE, getPublicKey(recipientPublicKey));
        byte[] encryptedKey = rsaCipher.doFinal(symmetricKey.getEncoded());
        
        // 4. 返回加密后的数据和密钥
        return Base64.getEncoder().encodeToString(encryptedData) + ":" + 
               Base64.getEncoder().encodeToString(encryptedKey);
    }
}

八、总结

数据加密是保护数据安全的基础:

  • 传输加密:HTTPS/TLS
  • 存储加密:AES/RSA
  • 密钥管理:轮换/托管
  • 敏感保护:脱敏/全链路加密

个人观点,仅供参考

相关推荐
2501_948114242 小时前
Claude Sonnet 4.6 深度评测:性能逼近 Opus、成本打骨折,附接入方案与选型指南
大数据·网络·人工智能·安全·架构
Meme Buoy3 小时前
17.补充:知识产权和标准化
架构
两万五千个小时3 小时前
Claude Code 源码:工具 Plan 模式
人工智能·程序员·架构
两万五千个小时4 小时前
Claude Code 源码:普通工具实现 Read / Write / Edit / TodoWrite
人工智能·程序员·架构
_waylau4 小时前
鸿蒙架构师修炼之道-B/S与C/S架构
华为·架构·harmonyos·鸿蒙·鸿蒙系统
AI服务老曹4 小时前
异构计算时代的安防底座:基于 x86/ARM 双架构与多芯片适配的 AI 视频云平台架构解析
arm开发·人工智能·架构
落樱弥城5 小时前
Arm Mali GPU架构
arm开发·架构
仲芒5 小时前
[24年单独笔记] MySQL 引擎架构
笔记·mysql·架构
昵称暂无15 小时前
分布式事务难题:Seata框架在微服务中的落地实践
分布式·微服务·架构
热门推荐
01GitHub 镜像站点02一周AI热点速览(2026.03.31-04.06):GPT-6曝光、谷歌开源Gemma 4、资本狂飙与模型军备竞赛03基于 Docker 部署 Hermes Agent 并接入飞书机器人的完整指南04OpenClaw 请求超时 llm request timed out 怎么解决?3 种方案实测,附完整排查流程05VMware Workstation Pro 17 虚拟机完整安装教程(2026最新)06实测!Gemma 4 成功跑在安卓手机上:离线 AI 助手终于来了07Oh My Codex 快速使用指南08CodeBuddy与WorkBuddy深度对比:腾讯两款AI工具差异及实操指南09AI Weekly | 2026年4月第二周 · GitHub热门项目与AI发展趋势深度解析10AI 编程效率翻倍:Superpowers Skills 上手清单 + 完整指南