Can Themis Decrypt Data Encrypted by another library with AES/GCM/NoPadding?

[VolodymyrKryvonos]

I have a project where a significant amount of data is encrypted using AES/GCM/NoPadding with javax.Cypher. I want to use Themis to improve performance but want to avoid migrating the existing data in the database.

Is there any way to decrypt data encrypted with AES/GCM/NoPadding using Themis? If so, how can this be achieved?

[G1gg1L3s]

Hi, @VolodymyrKryvonos. Thanks for the question!

While it's true that Themis uses AES-GCM under the hood, it also uses custom KDF to derive the actual encryption key from the supplied key material (see here). This means that it is likely incompatible with your encryption scheme and it wouldn't be possible to apply Themis here.

Still, to avoid the need for migrating large amounts of data all at once, you can opt for a more gradual approach. When you select a record, check if it's encrypted with the old scheme, decrypt it and re-encrypt using Themis. This approach will require some form of ciphertext versioning, so you'll need to extend the database schema or prepend markers to Themis ciphertexts to distinguish them from those encrypted with the previous scheme.

[VolodymyrKryvonos]

Thanks for quick response