My mail program stores data in a JavaBean which includes email contacts, host name etc. The JavaBean is serialized and written to a file. I want to be able to keep the data more private. Which is the best method to encrypt the data file without the user having to input a password each time the program starts up.
Isaac Hewitt wrote: Which is the best method to encrypt the data file without the user having to input a password each time the program starts up.
If you don't use some form of password protection for a key store and you don't use Password Based Encryption (PBE) then the encryption key has to be stored somewhere in your program or in a file on disk. If you store it in your code you might be able to obfuscate the key but you can't make it impossible to find after decompiling the application.
Retired horse trader.
Note: double-underline links may be advertisements automatically added by this site and are probably not endorsed by me.
+1 on what James said. Assuming you somehow address the password problem, have a look at javax.crypto.CipherOutputStream
and javax.crypto.CipherInputStream, which solve the technical issue of encrypted I/O. A Cipher of "AES-128" should work fine.
As @Lester said, AES-128 is a strong cipher and easy to use.
What is not easy to use is to protect the key used to encipher the data before you serialize it. This may be a serious challenge to your design. If you store the key as a string in the class/source, then someone can decompile the .class file and get the sting constant. Once they get the constant key, they can trivially decipher the data from the disk.
Depending on your threat model, you may be tempted to encode the key with something, but that is always essentially SBO, security by obscurity. And again, a decompile will show exectly what you are doing, and be obvious to the attacker.