Encryption Service

Overview

The Encryption Service is used to secure sensitive data that is being stored in the database.

Pre-requisites

Before you proceed with the documentation, make sure the following pre-requisites are met -

  • Java 8.

  • Kafka server is up and running.

Key Functionalities

Encryption Service offers the following features :

  1. Encrypt - The service encrypts the data based on given input parameters and data to be encrypted. The encrypted data is mandatory for a string data type.

  2. Decrypt - The decryption will happen solely based on the input data (any extra parameters are not required). The encrypted data has the identity of the key used at the time of encryption, the same key will be used for decryption.

  3. Sign - Encryption Service can hash and sign the data which can be used as the unique identifier of the data. This can also be used for searching the given value from a datastore.

  4. Verify - Based on the input sign and the claim, it can verify if the given sign is correct for the provided claim.

  5. Rotate Key - Encryption Service supports changing the key used for encryption. The old key will still remain with the service which will be used to decrypt old data. All the new data will be encrypted by the new key.

Configuration Details

Following are the properties in the application.properties file in egov-enc-service which are configurable.

Property

Default Value

Remarks

master-password

asd@#$@$!132123

Master password for encryption/ decryption.

master.salt

qweasdzx

A salt is random data that is used as an additional input to a one-way function that hashes data, a password or passphrase.

master.initialvector

qweasdzxqwea

An initialization vector is a fixed-size input to a cryptographic primitive.

size.key.symmetric

256

Default size of Symmetric key.

size.key.asymmetric

1024

Default size of Asymmetric key.

size.initialvector

12

Default size of Initial vector.

Deployment Details

  1. Deploy the latest version of the Encryption Service.

  2. Add Role-Action mapping for APIs.

Integration Details

Integration Scope

The Encryption service is used to encrypt sensitive data that needs to be stored in the database.

Integration Benefits

  • Can perform encryption without having to re-write encryption logic every time in every service.

Steps to Integration

  1. To integrate, a host of encryption services, modules should be overwritten in the helm chart.

  2. /crypto/v1/_encrypt should be added as an end point for encrypting input data in the system

  3. /crypto/v1/_decrypt should be added as the decryption endpoint.

  4. /crypto/v1/_sign should be added as the endpoint for providing a signature for a given value.

  5. /crypto/v1/_verify should be added as the endpoint for verifying whether the signature for the provided value is correct.

  6. /crypto/v1/_rotatekey should be added as an end point to deactivate the keys and generate new keys for a given tenant.

Reference Docs

Title

Link

API Swagger Documentation

API List

a) POST /crypto/v1/_encrypt

Encrypts the given input value/s OR values of the object.

b) POST /crypto/v1/_decrypt

Decrypts the given input value/s OR values of the object.

c) /crypto/v1/_sign

Provide signature for a given value.

d) POST /crypto/v1/_verify

Check if the signature is correct for the provided value.

e) POST /crypto/v1/_rotatekey

Deactivate the keys for the given tenant and generate new keys. It will deactivate both symmetric and asymmetric keys for the provided tenant.

Creative Commons LicenseAll content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.

Last updated

​All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.