The role of Encryptors.queryableText(String, String) is to allow for data to be encrypted for storage, then for the data to be queried against in its encrypted form. A good example of the need for this is the storage of OAuth Consumer Keys. Such keys should be encrypted when stored, and need to be queried when applications request authorization.
For this to work, the same message e.g. "6048b75ed560785c" must produce the same cipher text each time e.g. "5e37a66db5d48321050d17365d4f4e6fd217caade54d777bbecf6a458036e34b6fcbf0bebf2aa2a03ca5d5171ba5de7a"
. Unfortunately, this is not happening beyond container restarts since the "shared" initialization vector is initialized each time a queryable TextEncryptor instance is constructed.
The following simple test case demonstrates the issue:
Each time this test case is run, across all VM instances, the cipher text should be the same. If you run it more than once, you'll see the cipher text change. This is not correct behavior.
The fix is most likely to not apply an iV at all for a "queryable" TextEncryptor.