I'm a newb so forgive the lack of clarity. I don't have a particular threat model in mind, as I'm just learning how to think about these issues. This code is a learning project, not intended for production.
The reason for encrypting the data in the database is to protect the data at rest. Encrypting that data (assuming the keys are managed properly) means that, in the (inevitable) case of a data breach, PCI/HIPAA/etc. would not require notifying those whose data has been compromised. Some effort up-front can prevent a huge expense down the line. I'm sure Sony would
attest to that.
Your point that, if an attacker has access to memory, the data is already lost, is well taken. I had come to that conclusion because JTextComponents return their text as unprotected Strings. The plaintext is already there. I'm not trying to rewrite Swing.
There are ways of authorizing access to segments of memory, aren't there? Perhaps an object could be created within protected memory, accept input, and encipher it before it has the opportunity to leave the memory? Or would the entire JVM be within protected memory if any of it is? I don't really know how that works.
Thanks for your response.