jpos
diff --git a/‎jpos/src/main/java/org/jpos/core/CryptoEnvironmentProvider.java‎
Lines changed: 50 additions & 14 deletions b/‎jpos/src/main/java/org/jpos/core/CryptoEnvironmentProvider.java‎
Lines changed: 50 additions & 14 deletions
diff --git a/‎jpos/src/main/java/org/jpos/core/SystemKeyManager.java‎
Lines changed: 258 additions & 0 deletions b/‎jpos/src/main/java/org/jpos/core/SystemKeyManager.java‎
Lines changed: 258 additions & 0 deletions
@@ -18,10 +18,10 @@
 
 package org.jpos.core;
 
-import org.jpos.iso.ISOUtil;
 import org.jpos.security.SystemSeed;
 
 import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
 import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
 import java.nio.ByteBuffer;
@@ -32,7 +32,7 @@
  * EnvironmentProvider that encrypts/decrypts values using AES256.
  * 
  * <p>
- * Format: {@code crypto::<base64-encoded-ciphertext>}
+ * Format: {@code enc::<base64-encoded-ciphertext>}
  * <ul>
  * <li>Algorithm: AES-256-GCM with authenticated encryption</li>
  * <li>Key: 32 bytes derived from SystemSeed using SHA-256</li>
@@ -49,16 +49,25 @@ public class CryptoEnvironmentProvider implements EnvironmentProvider {
 
     @Override
     public String prefix() {
-        return "crypto::";
+        return "enc::";
     }
 
     @Override
     public String get(String config) {
         try {
-            // Remove the crypto:: prefix if present
+            String keyName = null;
             String encoded = config;
-            if (config.startsWith("crypto::")) {
-                encoded = config.substring(8);
+            
+            // Check for key name prefix: enc::keyname::encoded_data
+            if (config.startsWith("enc::")) {
+                String[] parts = config.substring(5).split("::", 2);
+                if (parts.length == 2) {
+                    keyName = parts[0];
+                    encoded = parts[1];
+                } else {
+                    // Default key
+                    encoded = config.substring(5);
+                }
             }
 
             byte[] decoded = Base64.getDecoder().decode(encoded);
@@ -72,9 +81,14 @@ public String get(String config) {
             byte[] ciphertext = new byte[buf.remaining()];
             buf.get(ciphertext);
 
-            // Use first 32 bytes of SystemSeed as the 256-bit AES key
-            byte[] seed = SystemSeed.getSeed(0, 32);
-            SecretKeySpec keySpec = new SecretKeySpec(seed, ALGORITHM);
+            // Use SystemKeyManager to get the derived key
+            SecretKey key = SystemKeyManager.getInstance().getKey(keyName);
+            if (key == null) {
+                throw new RuntimeException("Key not found in environment for name: " + 
+                        (keyName != null && !keyName.isEmpty() ? keyName : "default") + 
+                        ". Please set " + SystemKeyManager.getInstance().getEnvVarName(keyName));
+            }
+            SecretKeySpec keySpec = new SecretKeySpec(key.getEncoded(), ALGORITHM);
 
             // Decrypt with GCM authentication
             Cipher cipher = Cipher.getInstance(TRANSFORMATION);
@@ -92,13 +106,28 @@ public String get(String config) {
      * Helper method to encrypt a value (for generating encrypted config).
      * 
      * @param value the plaintext value to encrypt
-     * @return base64-encoded ciphertext with crypto:: prefix
+     * @return base64-encoded ciphertext with enc:: prefix
      */
     public static String encrypt(String value) {
+        return encrypt(value, null);
+    }
+    
+    /**
+     * Helper method to encrypt a value with a named key.
+     * 
+     * @param value the plaintext value to encrypt
+     * @param keyName the name of the key to use (null for default)
+     * @return base64-encoded ciphertext with enc::keyname:: prefix
+     */
+    public static String encrypt(String value, String keyName) {
         try {
-            // Use first 32 bytes of SystemSeed as the 256-bit AES key
-            byte[] seed = SystemSeed.getSeed(0, 32);
-            SecretKeySpec keySpec = new SecretKeySpec(seed, ALGORITHM);
+            SecretKey key = SystemKeyManager.getInstance().getKey(keyName);
+            if (key == null) {
+                throw new IllegalArgumentException("Key not found in environment for name: " + 
+                        (keyName != null && !keyName.isEmpty() ? keyName : "default") + 
+                        ". Please set " + SystemKeyManager.getInstance().getEnvVarName(keyName));
+            }
+            SecretKeySpec keySpec = new SecretKeySpec(key.getEncoded(), ALGORITHM);
 
             // Generate secure random 12-byte IV
             byte[] iv = new byte[IV_SIZE_BYTES];
@@ -115,7 +144,14 @@ public static String encrypt(String value) {
             buf.put(iv);
             buf.put(ciphertext);
 
-            return "crypto::" + Base64.getEncoder().encodeToString(buf.array());
+            String base64 = Base64.getEncoder().encodeToString(buf.array());
+            
+            // If keyName is provided, include it in the prefix
+            if (keyName != null && !keyName.isEmpty()) {
+                return "enc::" + keyName + "::" + base64;
+            } else {
+                return "enc::" + base64;
+            }
         } catch (Exception e) {
             throw new RuntimeException("Failed to encrypt value", e);
         }
 
@@ -0,0 +1,258 @@
+/*
+ * jPOS Project [http://jpos.org]
+ * Copyright (C) 2000-2026 jPOS Software SRL
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package org.jpos.core;
+
+import org.jpos.security.SystemSeed;
+
+import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.GCMParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.SecureRandom;
+import java.util.Base64;
+
+/**
+ * Manages encryption keys derived from SystemSeed.
+ * 
+ * <p>
+ * This class:
+ * <ul>
+ * <li>Derives a consistent key from SystemSeed (32 bytes = 256 bits)</li>
+ * <li>Provides methods to encrypt/decrypt data using these keys</li>
+ * <li>Loads keys strictly from environment variables (no internal caching)</li>
+ * </ul>
+ */
+public class SystemKeyManager {
+    private static final String DEFAULT_KEY_NAME = "default";
+    private static final String DEFAULT_ENV_VAR = "JPOS_ENCRYPTION_KEY";
+    private static final int KEY_SIZE_BITS = 256;
+
+    private static final SystemKeyManager instance;
+
+    static {
+        try {
+            instance = new SystemKeyManager();
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to initialize SystemKeyManager", e);
+        }
+    }
+
+    private SystemKeyManager() {
+    }
+
+    /**
+     * Returns the singleton SystemKeyManager instance.
+     *
+     * @return the SystemKeyManager instance
+     */
+    public static SystemKeyManager getInstance() {
+        return instance;
+    }
+
+    /**
+     * Gets a key by name. Returns null if key doesn't exist in environment.
+     * Never caches the key.
+     *
+     * @param keyName the name of the key to get
+     * @return the SecretKey, or null if not found
+     */
+    public SecretKey getKey(String keyName) {
+        if (keyName == null || keyName.isEmpty()) {
+            keyName = DEFAULT_KEY_NAME;
+        }
+
+        String envVarName = getEnvVarName(keyName);
+        String envValue = System.getenv(envVarName);
+
+        // Fallback for test environments where setting System.getenv is not possible
+        if (envValue == null || envValue.trim().isEmpty()) {
+            envValue = System.getProperty(envVarName);
+        }
+
+        if (envValue != null && !envValue.trim().isEmpty()) {
+            try {
+                byte[] keyBytes = Base64.getDecoder().decode(envValue.trim());
+                if (keyBytes.length == KEY_SIZE_BITS / 8) {
+                    return new SecretKeySpec(keyBytes, "AES");
+                }
+            } catch (IllegalArgumentException e) {
+                // Invalid Base64 or length
+            }
+        }
+
+        return null;
+    }
+
+    /**
+     * Gets the default key. Returns null if key doesn't exist.
+     *
+     * @return the default SecretKey, or null if not found
+     */
+    public SecretKey getDefaultKey() {
+        return getKey(DEFAULT_KEY_NAME);
+    }
+
+    /**
+     * Gets the Base64-encoded key by name.
+     *
+     * @param keyName the name of the key
+     * @return Base64-encoded key, or null if not found
+     */
+    public String getKeyBase64(String keyName) {
+        SecretKey key = getKey(keyName);
+        return key != null ? Base64.getEncoder().encodeToString(key.getEncoded()) : null;
+    }
+
+    /**
+     * Generates a new key from SystemSeed and returns its Base64 string.
+     * The user is responsible for setting the environment variable manually.
+     *
+     * @param keyName the name to give the key
+     * @return the generated key in Base64
+     */
+    public String generateKey(String keyName) {
+        try {
+            byte[] seed = SystemSeed.getSeed(0, 32);
+            KeyGenerator keyGen = KeyGenerator.getInstance("AES");
+            keyGen.init(KEY_SIZE_BITS, new SecureRandom(seed));
+            SecretKey key = keyGen.generateKey();
+            return Base64.getEncoder().encodeToString(key.getEncoded());
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to generate key from SystemSeed", e);
+        }
+    }
+
+    /**
+     * Generates a new default key from SystemSeed.
+     *
+     * @return the Base64-encoded generated key
+     */
+    public String generateDefaultKey() {
+        return generateKey(DEFAULT_KEY_NAME);
+    }
+
+    private static final int IV_SIZE_BYTES = 12;
+    private static final int TAG_LENGTH_BITS = 128;
+
+    /**
+     * Encrypts data using the default key.
+     *
+     * @param data the data to encrypt
+     * @return encrypted data (with IV prepended)
+     */
+    public byte[] encrypt(byte[] data) {
+        return encrypt(data, DEFAULT_KEY_NAME);
+    }
+
+    /**
+     * Encrypts data using a named key.
+     *
+     * @param data    the data to encrypt
+     * @param keyName the name of the key to use
+     * @return encrypted data (with IV prepended)
+     */
+    public byte[] encrypt(byte[] data, String keyName) {
+        try {
+            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
+            SecretKey key = getKey(keyName);
+
+            if (key == null) {
+                throw new IllegalArgumentException("No key found in environment for name: " + 
+                        (keyName != null && !keyName.isEmpty() ? keyName : DEFAULT_KEY_NAME) + ". Please set " + getEnvVarName(keyName));
+            }
+
+            byte[] iv = new byte[IV_SIZE_BYTES];
+            new SecureRandom().nextBytes(iv);
+
+            GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_BITS, iv);
+            cipher.init(Cipher.ENCRYPT_MODE, key, gcmParameterSpec);
+            byte[] ciphertext = cipher.doFinal(data);
+
+            byte[] result = new byte[iv.length + ciphertext.length];
+            System.arraycopy(iv, 0, result, 0, iv.length);
+            System.arraycopy(ciphertext, 0, result, iv.length, ciphertext.length);
+
+            return result;
+        } catch (Exception e) {
+            throw new RuntimeException("Encryption failed", e);
+        }
+    }
+
+    /**
+     * Decrypts data using the default key.
+     *
+     * @param encryptedData the encrypted data (with IV prepended)
+     * @return decrypted data
+     */
+    public byte[] decrypt(byte[] encryptedData) {
+        return decrypt(encryptedData, DEFAULT_KEY_NAME);
+    }
+
+    /**
+     * Decrypts data using a named key.
+     *
+     * @param encryptedData the encrypted data (with IV prepended)
+     * @param keyName       the name of the key to use
+     * @return decrypted data
+     */
+    public byte[] decrypt(byte[] encryptedData, String keyName) {
+        try {
+            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
+            SecretKey key = getKey(keyName);
+
+            if (key == null) {
+                throw new IllegalArgumentException("No key found in environment for name: " + 
+                        (keyName != null && !keyName.isEmpty() ? keyName : DEFAULT_KEY_NAME) + ". Please set " + getEnvVarName(keyName));
+            }
+
+            byte[] iv = new byte[IV_SIZE_BYTES];
+            System.arraycopy(encryptedData, 0, iv, 0, iv.length);
+
+            byte[] ciphertext = new byte[encryptedData.length - iv.length];
+            System.arraycopy(encryptedData, iv.length, ciphertext, 0, ciphertext.length);
+
+            GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(TAG_LENGTH_BITS, iv);
+            cipher.init(Cipher.DECRYPT_MODE, key, gcmParameterSpec);
+            return cipher.doFinal(ciphertext);
+        } catch (Exception e) {
+            throw new RuntimeException("Decryption failed", e);
+        }
+    }
+
+    /**
+     * Gets the environment variable name for a key.
+     *
+     * @param keyName the name of the key
+     * @return the environment variable name
+     */
+    public String getEnvVarName(String keyName) {
+        if (keyName == null || keyName.isEmpty()) {
+            keyName = DEFAULT_KEY_NAME;
+        }
+        return DEFAULT_ENV_VAR + (DEFAULT_KEY_NAME.equals(keyName) ? "" : "_" + keyName.toUpperCase());
+    }
+
+    /**
+     * Clears all keys (for testing purposes).
+     */
+    public void clearKeys() {
+        // No-op as internal cache is removed
+    }
+}