How to use encryption in Java?

Does anyone know how I can include encryption and decryption in my code? I am using FileInput and FileOutput Stream for serialized files. I have an arraylist of students, and I have an arraylist of books. I can save and read them from their individual files. But for security, I want to encrypt and decrypt them. How do I do that?

private static void ReadBook() {
try {
FileInputStream fi = new FileInputStream("bookData.ser");
ObjectInputStream oi = new ObjectInputStream(fi);
bookList = (ArrayList<Book>) oi.readObject();
oi.close();
} catch (Exception e) {
e.printStackTrace();
}
}
protected static void SaveBook(ArrayList<Book> books) {
ArrayList<Book> tempbookList = books;
try {
FileOutputStream fs = new FileOutputStream("bookData.ser");
ObjectOutputStream os = new ObjectOutputStream(fs);
os.reset();
os.writeObject(tempbookList);
os.close();
} catch (Exception e) {
e.printStackTrace();
}
}
private static void ReadStudent() {
try {
FileInputStream fi = new FileInputStream("studentData.ser");
ObjectInputStream oi = new ObjectInputStream(fi);
studentList = (ArrayList<Student>) oi.readObject();
oi.close();
} catch (Exception e) {
e.printStackTrace();
}
}
protected static void SaveStudent(ArrayList<Student> students) {
ArrayList<Student> tempstudentList = students;
try {
FileOutputStream fs = new FileOutputStream("studentData.ser");
ObjectOutputStream os = new ObjectOutputStream(fs);
os.reset();
os.writeObject(tempstudentList);
os.close();
} catch (Exception e) {
e.printStackTrace();
}

What you want isn't possible without an external secret. The problem is, you can 'encrypt' this, but it's not actually encryption (just obfuscation) unless there is a key involved, and the point of a key is: If you know it, you can decrypt it.

So, where does the key come from? You can't hardcode it into your source (sources can be decompiled or just opened with a hex editor), you can't load it off of a file (because anybody that can fetch the encrypted file can also fetch the file with the key in it and thus now they have all they need to decrypt the data). You can try to add layers into this, but it's turtles all the way down: If the application itself can obtain the secret, and the unauthorized person has full access to the computer that the application runs on, this is just not possible.

One way out is to actually say that the owner of the computer doesn't own it - this gets us into messing with security chips such as apple's T2 or the windows ecosystem's TPM. You can't interact with these from java without native code.

Another much simpler way out is to ensure that the application cannot decrypt the data unassisted. Simply ask the user for a password every time they start up the app. Then as long as the app is open, any hacker can just memorydump the VM and get the data, but once the app is closed and the memory is cleaned up (a little tricky at times), it's a secret again.

First think about those more high flying concepts of exactly which scenarios you want to protect and how you want to protect them. Only after that is it time to think about how you implement such things.

Seriously: Write down james bond scenarios. Rate them according to how much you want to protect against them (hint: It won't come for free).

For example: If the computer is stolen, I want to be able to say that as long as the power was pulled and the thieves aren't doing crazy stuff such as pulling the memory chips and blasting a can of CO2 at it to freeze them - I want the data to be gone - that's workable. But note that this is far better achieved by the user themselves: Have the OS apply full disk encryption. They'll do a far better job than you can, and those DO get to enjoy the benefits of security chips (TPM or T2, for example).

Another example: "Someone with a little knowledge and access to the room, I want to prevent these people from looking at the data". That's VERY tricky, they can use physical keyloggers (stick a tiny little USB dongle in between keyboard and system, or install a camera pointing at screen and keyboard) or just open the computer up and install a custom boot. If you want to keep those out, we need to talk about securing the case, or protecting the room itself with physical alarm systems, custom devices, or other extreme measures. It's good to know that this particular threat (so-called 'evil maid attack') is most likely not what you want to protect against (security involves tradeoffs. To properly assess tradeoffs, you need these scenarios).