I'm on Day 1 of looking at Keycloak, although some colleagues have been using it successfully. Please forgive the naiveté of the question, but I'd love confirmation that I'm on the right track.

I'd like to ensure that user email addresses, names, and usernames are encrypted by the KeyCloak application before persisting to a relational store.

org.keycloak.models.jpa.entities.UserEntity is pretty obviously the place to do that – the natural question is, what is the best way for me to provide a slightly customized UserEntity.java in which I can do my desired encryption/decryption?

My initial scan of docs and repo suggests one of the following:

1) Create a UserProvider analogous to the JpaUserProvider, but with my own UserEntity subclass.

2) If needed, follow the approach described in this thread[1] from November to implement a custom Hibernate EntityManager, but I don't think that's necessary for my case, and don't yet fully understand that.

3) Something else.

[1] http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005745.html

Thoughts or advice appreciated!

Aaron