In my application, users can upload any kind of files.
I would like to store them (or their data, byte) encrypted in the file-system, and when the user wants to re-download them, de-crypt them on the fly, transparently for the user.
The files must not be user-private, as they can be shared between groups of users.
Someone with only file-system access should not be able to get the file data.
What would be the best practice to achieve this kind of encryption requirement ?
Security should be the most important consideration.
As ideal I would see an api which I can pass the file-data as
byte which takes care of en/decryption. This way the
java.io.File would not need to know about the encryption at all.
A salt could maybe be provided from the file's metatada, while the key could e.g. be provided on application startup.
The comment from @Jared points to an article which kind of sovles my requirement:
The application runs under a system account so encrypt a folder for only that account. Store the uploaded files in that encrypted folder. Don't give anyone the password for that account.
Windows has this built in and there are many ways to achieve this on *NIX.
This meets all of your requirements.