Store process variables encrypted in the database

Hi all,

we have run into a problem implementing encryption for variables stored in our database. The feature we are implementing is supposed to encrypt variables that are stored to the database before writing, and decrypt variables that are read from the database before they are cached and used in Camunda.

Our current implementation uses a custom JavaObjectSerializer that takes care of encryption and decryption before/after calling the default Camunda serializer.

Unfortunately, we ran into frequent OptimisticLockingExceptions (even when simply reading task variables), and after some investigation we figured out this happened because Camunda compared the serialized (i.e. encrypted) values of variables to determine if a value has changed and needs to be updated in the database. As our encryption implementation uses different IVs for each encryption, the two values will always be different and the variable is updated with every read.

Therefore I am wondering what the recommended way would be to implement this. Is there maybe a different extension point at a lower code level where we could for example intercept database reads and writes for variables and place our encryption there? Or should we take a completely different approach?

Thanks in advance,

Hi @olhb you may want to consider encrypting the database instead, see: Security Instructions |


1 Like

Hey @Beagler, thanks for the reply. Unfortunately that is not an option for us, the encryption and decryption has to take place in Camunda.


Hi @olhb ,

you could also consider to store the actual value inside a separate schema outside the engine and just reference the enctypted variables.

This gives you more control over the handling of encrypted data.

I hope this helps


1 Like