Encryption/decryption feature
Encryption technology
The platform offers a base implementation of Encryptor, which is the piece in charge of encrypt / decrypt actions, which uses the following:
- 128-bit AES encryption, more specifically AES / CBC / PKCS5PADDING
- The encryption key (KEY) and initialization vector (IV) are loaded from an internal platform configuration file, and the same values are used for all ontologies
The Encryptor part can be replaced with the plugin mechanism offered by the platform (How to extend the Platform with plugins?), Being able to develop a part that connects to an HSM as Key Vault to obtain the encryption keys and IV externally.
Config Ontology for encryption
When you create an ontology on the platform, it allows you to indicate which attributes you want to encrypt. To do this, in the Control Panel, indicate True in the ENCRYPTED column:
Attributes that are marked as encrypted will be stored in the underlying repository (database).
From version 1.5.1-rc2, the platform will encrypt and decrypt the attributes. This means that the different tools of the platform (Query Tool, CRUD of ontologies, Digital Broker, API Manager, ...) will be handled transparently.
When making queries, if you want to query for an encrypted field, then you must use the expression $ENCRYPT().
Below you see how, although the name and color attributes are encrypted:
when handled from the platform, they appear normally:
$ENCRYPT
Queries are allowed on encrypted fields such as: select * from MyOntology as c WHERE c.MyOntology.property = "$ENCRYPT(text)"
Additional considerations
Encryption also works with array-type, object-type and similar fields.
Examples
See here that, if you create an API on an ontology with encrypted attributes, the platform will transparently decrypt them:
Using the Digital Broker, you can also consult and insert data and make the encryption transparent to the user.