Initialization vectors should be randomly generated
In AesEncryptor.cipher you’re initializing a Cipher instance with a static IV2 which is insecure.
One possible solution would be to generate the initialization vector using SecureRandom:
On reflection, each property should have it's own IV, so the PR adds a column to the DB to save it.
Unfortunately, it is not quite as simple as the ticket suggests; the IV is required to decrypt the text, too - which means it must be persisted, presumably in `conf/security.xml`.
Assigned this to gdt as he is usually checking security issues. Feel free to reassign to Dave or leave it unassigned.