The methods in the Crypto class can be used for securing content in Lightning Platform, or for integrating with external services such as Google or Amazon WebServices (AWS).
Exception | Message | Description |
---|---|---|
InvalidParameterValue | Unable to parse initialization vector from encrypted data. | Thrown if you're using managed initialization vectors, and the cipher text is less than 16 bytes. |
InvalidParameterValue | Invalid algorithm algoName. Must be AES128, AES192, or AES256. | Thrown if the algorithm name isn't one of the valid values. |
InvalidParameterValue | Invalid private key. Must be size bytes. | Thrown if size of the private key doesn't match the specified algorithm. |
InvalidParameterValue | Invalid initialization vector. Must be 16 bytes. | Thrown if the initialization vector isn't 16 bytes. |
InvalidParameterValue | Invalid data. Input data is size bytes, which exceeds the limit of 1048576 bytes. | Thrown if the data is greater than 1 MB. For decryption, 1048608 bytes are allowed for the initialization vector header, plus any additional padding the encryption added to align to block size. |
NullPointerException | Argument cannot be null. | Thrown if one of the required method arguments is null. |
SecurityException | Given final block not properly padded. | Thrown if the data isn't properly block-aligned or similar issues occur during encryption or decryption. |
SecurityException | Message Varies | Thrown if something goes wrong during either encryption or decryption. |
The following are methods for Crypto. All methods are static.
public static Blob decrypt(String algorithmName, Blob privateKey, Blob initializationVector, Blob cipherText)
Type: Blob
The length of privateKey must match the specified algorithm: 128 bits, 192 bits, or 256 bits, which is 16, 24, or 32 bytes, respectively. You can use a third-party application or the generateAesKey method to generate this key for you.
Blob exampleIv = Blob.valueOf('Example of IV123'); Blob key = Crypto.generateAesKey(128); Blob data = Blob.valueOf('Data to be encrypted'); Blob encrypted = Crypto.encrypt('AES128', key, exampleIv, data); Blob decrypted = Crypto.decrypt('AES128', key, exampleIv, encrypted); String decryptedString = decrypted.toString(); System.assertEquals('Data to be encrypted', decryptedString);
public static Blob decryptWithManagedIV(String algorithmName, Blob privateKey, Blob IVAndCipherText)
Type: Blob
The length of privateKey must match the specified algorithm: 128 bits, 192 bits, or 256 bits, which is 16, 24, or 32 bytes, respectively. You can use a third-party application or the generateAesKey method to generate this key for you.
Blob key = Crypto.generateAesKey(128); Blob data = Blob.valueOf('Data to be encrypted'); Blob encrypted = Crypto.encryptWithManagedIV('AES128', key, data); Blob decrypted = Crypto.decryptWithManagedIV('AES128', key, encrypted); String decryptedString = decrypted.toString(); System.assertEquals('Data to be encrypted', decryptedString);
public static Blob encrypt(String algorithmName, Blob privateKey, Blob initializationVector, Blob clearText)
Type: Blob
The initialization vector must be 128 bits (16 bytes.) Use either a third-party application or the decrypt method to decrypt blobs encrypted using this method. Use the encryptWithManagedIV method if you want Salesforce to generate the initialization vector for you. It is stored as the first 128 bits (16 bytes) of the encrypted Blob.
The length of privateKey must match the specified algorithm: 128 bits, 192 bits, or 256 bits, which is 16, 24, or 32 bytes, respectively. You can use a third-party application or the generateAesKey method to generate this key for you.
Blob exampleIv = Blob.valueOf('Example of IV123'); Blob key = Crypto.generateAesKey(128); Blob data = Blob.valueOf('Data to be encrypted'); Blob encrypted = Crypto.encrypt('AES128', key, exampleIv, data); Blob decrypted = Crypto.decrypt('AES128', key, exampleIv, encrypted); String decryptedString = decrypted.toString(); System.assertEquals('Data to be encrypted', decryptedString);
public static Blob encryptWithManagedIV(String algorithmName, Blob privateKey, Blob clearText)
Type: Blob
The initialization vector is stored as the first 128 bits (16 bytes) of the encrypted Blob. Use either third-party applications or the decryptWithManagedIV method to decrypt blobs encrypted with this method. Use the encrypt method if you want to generate your own initialization vector.
The length of privateKey must match the specified algorithm: 128 bits, 192 bits, or 256 bits, which is 16, 24, or 32 bytes, respectively. You can use a third-party application or the generateAesKey method to generate this key for you.
Blob key = Crypto.generateAesKey(128); Blob data = Blob.valueOf('Data to be encrypted'); Blob encrypted = Crypto.encryptWithManagedIV('AES128', key, data); Blob decrypted = Crypto.decryptWithManagedIV('AES128', key, encrypted); String decryptedString = decrypted.toString(); System.assertEquals('Data to be encrypted', decryptedString);
public static Blob generateDigest(String algorithmName, Blob input)
Type: Blob
Blob targetBlob = Blob.valueOf('ExampleMD5String'); Blob hash = Crypto.generateDigest('MD5', targetBlob);
public static Blob generateMac(String algorithmName, Blob input, Blob privateKey)
Type: Blob
String salt = String.valueOf(Crypto.getRandomInteger()); String key = 'key'; Blob data = crypto.generateMac('HmacSHA256', Blob.valueOf(salt), Blob.valueOf(key));
public static Integer getRandomInteger()
Type: Integer
Integer randomInt = Crypto.getRandomInteger();
public static Long getRandomLong()
Type: Long
Long randomLong = Crypto.getRandomLong();
public static Blob sign(String algorithmName, Blob input, Blob privateKey)
RSA-SHA1 is an RSA signature (with an asymmetric key pair) of a SHA1 hash.
RSA-SHA256 is an RSA signature of a SHA256 hash.
RSA is the same as RSA-SHA1.
Type: Blob
The following snippet shows how to call the sign method.
String algorithmName = 'RSA'; String key = ''; Blob privateKey = EncodingUtil.base64Decode(key); Blob input = Blob.valueOf('12345qwerty'); Crypto.sign(algorithmName, input, privateKey);
public static Blob signWithCertificate(String algorithmName, Blob input, String certDevName)
RSA-SHA1 is an RSA signature (with an asymmetric key pair) of a SHA1 hash.
RSA-SHA256 is an RSA signature of a SHA256 hash.
RSA is the same as RSA-SHA1.
To access the Certificate and Key Management page from Setup, enter Certificate and Key Management in the Quick Find box, then select Certificate and Key Management.
Type: Blob
The following snippet is an example of the method for signing the content referenced by data.
Blob data = Blob.valueOf('12345qwerty'); System.Crypto.signWithCertificate('RSA-SHA256', data, 'signingCert');
public Void signXML(String algorithmName, Dom.XmlNode node, String idAttributeName, String certDevName)
RSA-SHA1 is an RSA signature (with an asymmetric key pair) of an SHA1 hash.
RSA-SHA256 is an RSA signature of an SHA256 hash.
RSA is the same as RSA-SHA1.
To access the Certificate and Key Management page from Setup, enter Certificate and Key Management in the Quick Find box, then select Certificate and Key Management.
Type: void
The following is an example declaration and initialization.
Dom.Document doc = new dom.Document(); doc.load(...); System.Crypto.signXml('RSA-SHA256', doc.getRootElement(), null, 'signingCert'); return doc.toXmlString();
public static void signXml(String algorithmName, Dom.XmlNode node, String idAttributeName, String certDevName, Dom.XmlNode refChild)
RSA-SHA1 is an RSA signature (with an asymmetric key pair) of an SHA1 hash.
RSA-SHA256 is an RSA signature of an SHA256 hash.
RSA is the same as RSA-SHA1.
To access the Certificate and Key Management page from Setup, enter Certificate and Key Management in the Quick Find box, then select Certificate and Key Management.
Type: Void