BestHub
search
Sign in
Databases 9 min read

Quick Start Guide to Data Desensitization with Apache ShardingSphere and Spring

This article explains how to use Apache ShardingSphere's data desensitization module with Spring and Spring Boot to transparently encrypt sensitive fields such as ID numbers and bank cards, covering pain points, configuration steps, code examples, and datasource integration for compliance‑driven applications.

Architecture Digest
Architecture Digest
Architecture Digest
Quick Start Guide to Data Desensitization with Apache ShardingSphere and Spring

In real business scenarios, databases often need to store sensitive customer information such as ID numbers, bank card numbers, names, and phone numbers, which must be encrypted to satisfy compliance requirements.

Pain Point 1

The usual solution is to manually encrypt the relevant fields in SQL statements before insertion and manually decrypt them when querying. Although feasible, this approach is cumbersome and tightly couples business development with compliance details.

Pain Point 2

For systems that were launched quickly without compliance desensitization, a fast way is needed to make existing business meet compliance while minimizing changes to the original system. This typically involves adding desensitized columns, migrating data, and adding compatibility logic in the code.

Apache ShardingSphere provides a data desensitization module that parses and intercepts user‑input SQL, rewrites it according to user‑defined desensitization rules, and transparently performs encryption and decryption, achieving seamless encrypted storage and query.

Desensitization Configuration – Quick Start (Spring)

1. Add Dependency

<!-- for spring namespace -->
<dependency>
    <groupId>org.apache.shardingsphere</groupId>
    <artifactId>sharding-jdbc-spring-namespace</artifactId>
    <version>${sharding-sphere.version}</version>
</dependency>

2. Create Desensitization Rule Object

Before creating the datasource, prepare an EncryptRuleConfiguration for desensitization. The example below configures AES encryption for two tables ( card_info and pay_order ) and several columns.

private EncryptRuleConfiguration getEncryptRuleConfiguration() {
    Properties props = new Properties();
    // built‑in AES algorithm requires key
    props.setProperty("aes.key.value", aeskey);
    EncryptorRuleConfiguration encryptorConfig = new EncryptorRuleConfiguration("AES", props);
    EncryptRuleConfiguration encryptRuleConfig = new EncryptRuleConfiguration();
    encryptRuleConfig.getEncryptors().put("aes", encryptorConfig);
    // START: card_info table configuration
    {
        EncryptColumnRuleConfiguration columnConfig1 = new EncryptColumnRuleConfiguration("", "name", "", "aes");
        EncryptColumnRuleConfiguration columnConfig2 = new EncryptColumnRuleConfiguration("", "id_no", "", "aes");
        EncryptColumnRuleConfiguration columnConfig3 = new EncryptColumnRuleConfiguration("", "finshell_card_no", "", "aes");
        Map
columnConfigMaps = new HashMap<>();
        columnConfigMaps.put("name", columnConfig1);
        columnConfigMaps.put("id_no", columnConfig2);
        columnConfigMaps.put("finshell_card_no", columnConfig3);
        EncryptTableRuleConfiguration tableConfig = new EncryptTableRuleConfiguration(columnConfigMaps);
        encryptRuleConfig.getTables().put("card_info", tableConfig);
    }
    // END: card_info table configuration
    // START: pay_order table configuration
    {
        EncryptColumnRuleConfiguration columnConfig1 = new EncryptColumnRuleConfiguration("", "card_no", "", "aes");
        Map
columnConfigMaps = new HashMap<>();
        columnConfigMaps.put("card_no", columnConfig1);
        EncryptTableRuleConfiguration tableConfig = new EncryptTableRuleConfiguration(columnConfigMaps);
        encryptRuleConfig.getTables().put("pay_order", tableConfig);
    }
    // END: pay_order table configuration
    log.info("Desensitization configuration built: {}", encryptRuleConfig);
    return encryptRuleConfig;
}

Explanation:

When creating EncryptColumnRuleConfiguration , the first two parameters are plainColumn and cipherColumn . For new systems only the cipher column needs to be set, so plainColumn is left empty.

EncryptTableRuleConfiguration receives a map of logical column names to their EncryptColumnRuleConfiguration . ShardingSphere rewrites SQL by mapping logical columns to either plain or cipher columns according to this configuration.

3. Manage DataSource with ShardingSphere

@Bean("tradePlatformDataSource")
public DataSource dataSource(@Qualifier("druidDataSource") DataSource ds) throws SQLException {
    return EncryptDataSourceFactory.createDataSource(ds, getEncryptRuleConfiguration(), new Properties());
}

Desensitization Configuration – Quick Start (Spring Boot)

1. Add Dependency

<!-- for spring boot -->
<dependency>
    <groupId>org.apache.shardingsphere</groupId>
    <artifactId>sharding-jdbc-spring-boot-starter</artifactId>
    <version>${sharding-sphere.version}</version>
</dependency>
<!-- for spring namespace -->
<dependency>
    <groupId>org.apache.shardingsphere</groupId>
    <artifactId>sharding-jdbc-spring-namespace</artifactId>
    <version>${sharding-sphere.version}</version>
</dependency>

2. Spring Configuration File

spring.shardingsphere.datasource.name=ds
spring.shardingsphere.datasource.ds.type=com.alibaba.druid.pool.DruidDataSource
spring.shardingsphere.datasource.ds.driver-class-name=com.mysql.jdbc.Driver
spring.shardingsphere.datasource.ds.url=jdbc:mysql://host:3306/db
spring.shardingsphere.datasource.ds.username=root
spring.shardingsphere.datasource.ds.password=secret

# Default AES encryptor
spring.shardingsphere.encrypt.encryptors.encryptor_aes.type=aes
spring.shardingsphere.encrypt.encryptors.encryptor_aes.props.aes.key.value=hkiqAXU6Ur5fixGHaO4Lb2V2ggausYwW

# card_info table encryption rules
spring.shardingsphere.encrypt.tables.card_info.columns.name.cipherColumn=name
spring.shardingsphere.encrypt.tables.card_info.columns.name.encryptor=encryptor_aes
spring.shardingsphere.encrypt.tables.card_info.columns.id_no.cipherColumn=id_no
spring.shardingsphere.encrypt.tables.card_info.columns.id_no.encryptor=encryptor_aes
spring.shardingsphere.encrypt.tables.card_info.columns.finshell_card_no.cipherColumn=finshell_card_no
spring.shardingsphere.encrypt.tables.card_info.columns.finshell_card_no.encryptor=encryptor_aes

# pay_order table encryption rule
spring.shardingsphere.encrypt.tables.pay_order.columns.card_no.cipherColumn=card_no
spring.shardingsphere.encrypt.tables.pay_order.columns.card_no.encryptor=encryptor_aes

With these steps, the application can store and query encrypted sensitive data without any manual encryption/decryption code, fully satisfying compliance requirements.

JavaSpringShardingSpheredatabase securitydata encryptionAES
Architecture Digest
Written by

Architecture Digest

Focusing on Java backend development, covering application architecture from top-tier internet companies (high availability, high performance, high stability), big data, machine learning, Java architecture, and other popular fields.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment