Descriptors encryption

Descriptors encryption feature is supported by handlers

Encrypted descriptors are stored and received in following format: <encrypted_descriptor><tag><nonce><hash>

• encrypted_descriptor - encrypted descriptor

• tag - data used from message authentication

• nonce - encryption initialization vector

• hash - hash sum of the encryption key and algorithm

Configuring encryption

Encryption can be enabled through the DESCRIPTOR_ENCRYPTION setting.

• enabled - whether descriptors encryption is enabled or not.

• algorithm - name of the encryption algorithm used.

• params - encryption params to specify the encryption key source.

Supported algorithms: aes256-gcm

Encryption params contain the following fields:

• source - name of encryption key source.

• key - encryption key or credentials for receiving it

Supported source types: raw, vaultKV

For both raw, vaultKV sources key must be encoded in base64 string

If you use Hashicorp Vault Key/Value storage as your key source, key must contain the following fields:

• url - url for receiving encryption key

• token - authentication token

  {
      "enabled": true,
      "algorithm": "aes256-gcm",
      "params": {
          "source": "vaultKV",
          "key": {
              "url": "https://vault.example.com/v1/secret/data/encryption_key",
              "token": "s.XYZ12345"
          }
      }
  }
  

The contents of vault Key/Value storage are expected to be in the following format:

{
"key": "...",
"algorithm": "..."
}