Is it possible to set data encryption in DB in Keycloak settings

Due to some GDPR rules required on our project we need to encrypt not only passwords or keys, but also other user data such as name, email, etc. Is there a possibility to define what user data should be encrypted in DB? If not what solution do you suggest?

1 Like

Is there any feedback for this question?

i’m looking for the same “problem”.
I’d tried different way to implement it (without success):

  1. Create Custom SPI (it seems we haven’t a factory to do that…UserStoareProviderFactory seems not good for the goal or maybe i haven’t an idea about his implementation :smiley: )
  2. DB Level Encryption (it requires to make a lot of modifies on queries to use the correct function)
  3. Create an Extension to try to create a plugin to encrypt\decrypt user_entity datas any time a method call set\get methods. (i dunno how to to this…if it can be do it XD).

Any ideas\suggestions? :slight_smile:

Thank you

Somebody managed to implement this feature?

Same thing, started with kc and now we are stuck at the encryption of data at rest… any Ideas?

Hi, is there any progress on this?

This is out of Keycloak‘s scope, you‘ll have to use approaches/options your used database provides.

Per my slack message, this won’t/shouldn’t happen in Keycloak. Use one of these options in the database, depending on your requirements PostgreSQL: Documentation: 16: 19.8. Encryption Options

1 Like

I made it, creating a custom JPA converter(implementing jakarta.persistence.AttributeConverter) + orml.xml

Also I created a custom JpaUserProvider to redefine the way to search in the database

@xalfonso how is your solution working for you? do you have any more information on how you achieved this and is there anyway you can share the code via github?

@xalfonso Are you able to share your implementation for this? We’re coming across the same issue and would be grateful to see how you achieved this.

Hi all,

Here is a good news that I’ve implemented a provider that performs encryption of user attributes before storing to database and later decrypt them upon loading from database.

Enabling the encryption for a specific user attribute is as simple as adding the custom validator of type “pii-data-encryption” inside the “Create attribute” or “Edit attribute” form of that attribute in the admin console.

Ideas and contributions will be welcomed.