User Data Encryption for a Java Web Application (Spring/Jboss)

we are saving user data on a server and we want to do save this data encrypted 开发者_如何学运维with TrueCrypt.

If a user registers, we generate an asymmetric key for him that is encrypted with his password. This asymmetric user-specific key will encrypt all the keys that are used for services, including the above mentioned data encryption.

If we now want to read the users files, add new and modify existing ones from within our Java Application running on a Application Server, should we mount the TrueCrypt container? We think that it might be a security leak as an attacker could easily look in the mounted container, but we also have no other idea - we are kind a stuck!

I am sure someone can help us here.

Thanks, Heinrich

@edit By the way, we are using Spring for your Java App.

I don't think it is a good idea to use TrueCrypt for this usecase. When using TrueCrypt you have no other choice than mounting it on each request to encrypted files. You should think about using plain Java encryption and do encryption and decryption yourself. There are libraries like Google Keyczar that may help you implementing this.