Implement AES-GCM file encryption per user

- EncryptionService uses PBKDF2 to derive a key from user password and salt.
- AES-GCM encryption with 128-bit tag and 12-byte IV.
- Ready for streaming encryption to/from HDFS without temp files.

src/main/java/com/skycrate/backend/skycrateBackend/security/EncryptionService.java

@@ -0,0 +1,42 @@
+package com.skycrate.backend.skycrateBackend.security;
+
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.*;
+import java.security.SecureRandom;
+import java.util.Base64;
+
+public class EncryptionService {
+
+    private static final int KEY_LENGTH = 256;
+    private static final int ITERATIONS = 65536;
+    private static final int SALT_LENGTH = 16;
+    private static final int IV_LENGTH = 12;
+
+    public static byte[] generateSalt() {
+        byte[] salt = new byte[SALT_LENGTH];
+        new SecureRandom().nextBytes(salt);
+        return salt;
+    }
+
+    public static SecretKey deriveKey(String password, byte[] salt) throws Exception {
+        PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, ITERATIONS, KEY_LENGTH);
+        SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
+        return new SecretKeySpec(factory.generateSecret(spec).getEncoded(), "AES");
+    }
+
+    public static byte[] encrypt(byte[] plaintext, SecretKey key, byte[] iv) throws Exception {
+        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
+        GCMParameterSpec spec = new GCMParameterSpec(128, iv);
+        cipher.init(Cipher.ENCRYPT_MODE, key, spec);
+        return cipher.doFinal(plaintext);
+    }
+
+    public static byte[] decrypt(byte[] ciphertext, SecretKey key, byte[] iv) throws Exception {
+        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
+        GCMParameterSpec spec = new GCMParameterSpec(128, iv);
+        cipher.init(Cipher.DECRYPT_MODE, key, spec);
+        return cipher.doFinal(ciphertext);
+    }
+}