6

I'm developing an application that should encrypt some small (less than 1MB) and large (about 500MB) files.
How can I encrypt files and save encrypted version somewhere on disk effectively (i.e.fast)?
Can I have encryption progress if it took time?

Ariyan
  • 14,760
  • 31
  • 112
  • 175
  • How much security do you require? Generally the weaker the encryption the faster it will be and vice versa. – Sean Dawson Aug 12 '12 at 06:37
  • 1
    You can use `BouncyCastel` API. – Bhavik Ambani Aug 12 '12 at 06:42
  • @NoxHarmonium: How should I measure it? ;-) I need files be as secure as possible. I don't care the encryption be slow I only want it work at the maximum rate it can go. (I mean something like file copy using `java.io` and `java.nio`) – Ariyan Aug 12 '12 at 06:43
  • 1
    Progress? Like [ProgressMonitorInputStream](http://docs.oracle.com/javase/6/docs/api/javax/swing/ProgressMonitorInputStream.html)? – President James K. Polk Aug 12 '12 at 13:24

2 Answers2

6

Assuming you have an AES key and some output stream, here's how you could add an encryption decorator to the stream.

Cipher enc = Cipher.getInstance("AES/CBC/PKCS5Padding");
enc.init(Cipher.ENCRYPT_MODE, key);
AlgorithmParameters params = enc.getParameters();
IvParameterSpec iv = params.getParameterSpec(IvParameterSpec.class);
out.write(iv.getIV());
out = new CipherOutputStream(enc, out);

This adds the IV to the beginning of the cipher text; when decrypting, you'd need to parse that out to initialize the cipher.

A better solution, longterm, would be to use library that implements the Cryptographic Message Syntax, the basis for S/MIME. This records metadata about the algorithms and keys that can be used for decryption.

I would also recommend an AEAD mode like GCM or CCM if your provider implements it. (The SunJCE does not.) These will verify that the file is decrypted correctly, and has not been corrupted.

erickson
  • 265,237
  • 58
  • 395
  • 493
  • @owlstead I know the API is there for GCM now, and expected SunJCE to provide it, but when I went to check, I couldn't find mention of it [in the documentation.](http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html) Do you know of any commitment by Oracle to provide it through an included JCE provider? – erickson Aug 12 '12 at 15:39
  • 1
    Oops my apologies, I probably used a non-standard build path there. From the source: "*Java SE has already defined the AEAD/GCM interfaces in JDK 7. In JDK 8 the JCA/JCE providers will implement these AEAD/GCM interfaces. We’re also likely to add some additional mechanisms for PKCS11, if the current PKCS11 standard supports it.*" – Maarten Bodewes Aug 12 '12 at 17:33
  • Of course the Bouncy Castle API does contain an implementation to perform GCM mode. I'll try and build it into the provider after ending my standford university crypto class. – Maarten Bodewes Aug 12 '12 at 17:38
2

As Bhavik mentioned above, BouncyCastle would be a good way to go, its lightweight and mature. You can definitely see the progress of the encryption as you can control how much to read and write at once. You could read bytes from a file, encrypt them and write back to a another file in a pipeline.

An example of this is mentioned in this question: How to encrypt a string/stream with bouncycastle pgp without starting with a file

Community
  • 1
  • 1
Sean Dawson
  • 5,587
  • 2
  • 27
  • 34