UTIL_SessionEncryption
Class · Group: Utilities
global inherited sharing class UTIL_SessionEncryptionUtility class providing bi-directional encryption and decryption capabilities with automatic key management and expiry. This class uses AES256 encryption combined with HMAC-SHA256 (Encrypt-then-MAC) to ensure both confidentiality and integrity.
CRITICAL ARCHITECTURAL WARNING
This utility uses EPHEMERAL STORAGE (Platform Cache) for encryption keys. Keys are NOT persisted to the database. If the cache expires, is flushed, or the session ends, the key is LOST FOREVER and any data encrypted with it becomes permanently unrecoverable.
DO NOT USE THIS CLASS FOR:
- Persisting encrypted data to SObjects or Settings.
- Long-term data storage.
USE THIS CLASS ONLY FOR:
- Short-lived data passing (e.g., ViewState, temporary token exchange).
- Session-scoped data where data loss is acceptable upon session expiry.
Since: 1.0
Example:
String encrypted = UTIL_SessionEncryption.encrypt('Sensitive Data');
String decrypted = UTIL_SessionEncryption.decrypt(encrypted);
Boolean available = UTIL_SessionEncryption.isAvailable();Methods
| Method | Description |
|---|---|
| global static String decrypt(String encryptedTextValue) | Decrypts a Base64-encoded string using the cached encryption key. |
| global static String encrypt(String plainTextValue) | Encrypts a string using the current user's encryption key and appends an HMAC. |
| global static Boolean isAvailable() | Safely checks if the Crypto utility is available for use (Cache is online). |
Method Details
decrypt
global static String decrypt(String encryptedTextValue)Decrypts a Base64-encoded string using the cached encryption key. Verifies the HMAC before attempting decryption to ensure integrity.
Parameters:
encryptedTextValue(String) - The Base64-encoded encrypted string (IV:Cipher:HMAC).
Returns: String - String The decrypted string, or the input if it is blank.
Throws:
- Exception - If decryption fails due to invalid key or algorithm issues.
- IllegalArgumentException - If the encrypted text is invalid or no encryption key is found.
Since: 1.0
Example:
String plainTextValue = 'Sensitive Data';
String encrypted = UTIL_SessionEncryption.encrypt(plainTextValue);
String decrypted = UTIL_SessionEncryption.decrypt(encrypted);
System.debug(decrypted); // Outputs: Sensitive Data
try
{
decrypted = UTIL_SessionEncryption.decrypt('InvalidBase64');
}
catch(IllegalArgumentException e)
{
System.debug('Invalid input: ' + e.getMessage());
}encrypt
global static String encrypt(String plainTextValue)Encrypts a string using the current user's encryption key and appends an HMAC. The method generates a new key if none exists in the cache and stores it with an expiry.
Format: Base64(IV) : Base64(Cipher) : Base64(HMAC)
Parameters:
plainTextValue(String) - The string to encrypt.
Returns: String - String The encrypted string in Base64 format with HMAC, or the input if it is blank.
Throws:
- Exception - If encryption fails due to invalid key, algorithm issues, or cache write failures.
Since: 1.0
Example:
String plainTextValue = 'Sensitive Data';
String encrypted = UTIL_SessionEncryption.encrypt(plainTextValue);
System.debug(encrypted); // Outputs: Base64-encoded encrypted string
String blankInput = '';
encrypted = UTIL_SessionEncryption.encrypt(blankInput);
System.debug(encrypted); // Outputs: ''isAvailable
global static Boolean isAvailable()Safely checks if the Crypto utility is available for use (Cache is online). Useful for UI controllers to check availability without needing try/catch blocks.
Returns: Boolean - Boolean True if cache is available, False otherwise.
Since: 1.0
Example:
Boolean result = UTIL_SessionEncryption.isAvailable();