Ensuring platform security is crucial. Whether you’re developing a composite application for the AppExchange, creating integrations with open authentication (OAuth), or simply connecting Salesforce with an internal system/platform, it can raise concerns for your security team. However, the Salesforce Crypto class is designed to alleviate these concerns.
We incorporate Salesforce encryption/decryption logic regularly in many of our applications. For instance, our Currency Management Application facilitates communication between the client Salesforce organization, our company Salesforce organization, and our interactiveties.com web servers. To ensure seamless and secure inter-platform communication, we include encrypted keys in our request/response logic. This approach allows us to verify data integrity and prevent unauthorized or malicious activities.
The purpose of this post is to acquaint you with the Crypto class and equip you with the information necessary to leverage its capabilities. This knowledge can be valuable as you continue building on the platform.
/*
Created by: Greg Hacic
Last Update: 9 February 2017 by Greg Hacic
Questions?: greg@interactiveties.com
Notes:
- methods for encrypting Strings and decrypting ciphers using Advanced Encryption Standard (AES) keys
- currently supported algorithms: AES128, AES192 and AES256
*/
public class encryptionCodeShare() {
private String dataToBeEncrypted = 'This is a long string that we encrypt using Advanced Encryption Standards'; //string to be encrypted
private Blob dataToBeEncryptedAsBlob = Blob.valueOf(dataToBeEncrypted); //converts the string to a blob
private Blob crypto128Key = Crypto.generateAesKey(128); //Salesforce generated 128 bit AES key
private String string192Key = 'ro7jW2ndy2Z/1SBpT5aLEbDiP1nPKKLa'; //Base64-encoded string representation of a private 192 bit AES key which was generated outside of Salesforce > for demonstration purposes only - you should not hardcode this key in your Apex code
private String stringIV = '01234567Xgfedcba'; //string representation of 128 bit initialization vector
private Blob crypto192Key = EncodingUtil.base64Decode(string192Key); //converts the Base64-encoded string192Key String to a Blob representing its normal form
private Blob iv = Blob.valueOf(stringIV); //initialization vector - an arbitrary string that can be used along with a secret key for data encryption
//encryption using AES128, Salesforce generated private key and initialization vector
public Blob encrypt128() {
Blob returnCipher = Crypto.encryptWithManagedIV('AES128', crypto128Key, dataToBeEncryptedAsBlob); //encrypts the Blob using the AES128 algorithm and 128 bit private key
return returnCipher; //return the Blob
}
//decryption using AES128, Salesforce generated private key and initialization vector
public String decrypt128() {
Blob encryptedCipher = encrypt128(); //encrypt the dataToBeEncrypted string
Blob decryptedCipher = Crypto.decryptWithManagedIV('AES128', crypto128Key, encryptedCipher); //decrypt the cipher using the AES128 algorithm and 128 bit private key
return decryptedCipher.toString(); //convert the blob to a string and return
}
//encryption using AES192, externally generated private key and initialization vector
public Blob encrypt192() {
Blob returnCipher = Crypto.encrypt('AES192', crypto192Key, iv, dataToBeEncryptedAsBlob); //encrypts the Blob using the AES192 algorithm, 192 bit private key and initialization vector
return returnCipher; //return the Blob
}
//decryption using AES192, externally generated private key and initialization vector
public String decrypt192() {
Blob encryptedCipher = encrypt192(); //encrypt the dataToBeEncrypted string
Blob decryptedCipher = Crypto.decrypt('AES192', crypto192Key, iv, encryptedCipher); //decrypt the cipher using the AES192 algorithm, 192 bit private key and initialization vector
return decryptedCipher.toString(); //convert the blob to a string and return
}
}
The example demonstrates two approaches to utilize a private key. The AES128 methods involve Salesforce generating both the private key and initialization vector. In contrast, the AES192 methods involve using a private key generated externally to Salesforce. It’s important to note that private keys generated outside of Salesforce should not be stored in the Apex class, as shown above. Instead, employ a custom setting or an alternative method to access the private key.
The most effective way to learn is through trial and error. This example provides a solid starting point for experimenting with different iterations of these concepts.