Descriptors encryption¶
To prevent malicious use of descriptors stolen from api or db descriptor encryption feature can be enabled. If enabled, only encrypted descriptor data will be kept in the database. Descriptors that are passed to save without encryption will be encrypted.
Encrypted descriptors are stored and received in following format: <encrypted_descriptor><tag><nonce><hash>
- encrypted_descriptor - encrypted descriptor 
- tag - data used from message authentication 
- nonce - encryption initialization vector 
- hash - hash sum of the encryption key and algorithm 
Descriptors that have already been encrypted before saving must correspond with this format. Only descriptors that were encrypted with the current key and algorithm can be received from the database. When updating face descriptors, all descriptors with different key or algorithm will be deleted. It is assumed that all descriptors can be encrypted with only one key + algorithm pair at once.
Configuring encryption¶
- Encryption can be enabled through the DESCRIPTOR_ENCRYPTION setting.
- enabled - whether descriptors encryption is enabled or not. 
- algorithm - name of the encryption algorithm used. 
- params - encryption params to specify the encryption key source. 
 
Supported algorithms: aes256-gcm
- Encryption params contain the following fields:
- source - name of encryption key source. 
- key - encryption key or credentials for receiving it 
 
Supported source types: raw, vaultKV
For both raw, vaultKV sources key must be encoded in base64 string
- If you use Hashicorp Vault Key/Value storage as your key source, key must contain the following fields:
- url - url for receiving encryption key 
- token - authentication token - { "enabled": true, "algorithm": "aes256-gcm", "params": { "source": "vaultKV", "key": { "url": "https://vault.example.com/v1/secret/data/encryption_key", "token": "s.XYZ12345" } } } 
 
The contents of vault Key/Value storage are expected to be in the following format:
{ "key": "...", "algorithm": "..." }
Encryption migration script¶
To update the existing descriptors in the database you need to run the script called descriptors_encryption.py. It has three options:
- to encrypt the original descriptors. 
- to switch to a new encryption key. 
- to decrypt the encrypted descriptors. 
Note
The script requires three environment variables to be set regardless of the option you choose:
- OLD_ENCRYPTION_KEY (might be set to an empty string) 
- NEW_ENCRYPTION_KEY (might be set to an empty string) 
- ENCRYPTION_ALGORITHM (is always mandatory and can not be empty) 
1. To encrypt the original descriptors. This option allows you to encrypt all the descriptors in the database if they were not encrypted previously. Already encrypted descriptors will be ignored, so the script may be run several times. If you choose this option, you need to fill in the NEW_ENCRYPTION_KEY variable and leave the OLD_ENCRYPTION_KEY variable empty.
2. To switch to a new encryption key. This option assumes that encryption has already been performed and you possess the existing encryption key which you want to refresh. Already encrypted descriptors will be ignored, so the script might be ran several times. You must specify both OLD_ENCRYPTION_KEY and NEW_ENCRYPTION_KEY.
3. To decrypt the encrypted descriptors. This options will turn the descriptors back to their original state. It will only will only process the encrypted descriptors and leave the original ones unchanged. To run this version of the script, you need to specify the OLD_ENCRYPTION_KEY variable and leave the NEW_ENCRYPTION_KEY variable empty.
To run the script you need to specify the way to get DB configs from
- –config - Path to config file. 
- –luna-config - The origin and API version of the luna-configurator service for pulling settings from it. (e.g. “http://127.0.0.1:5070/1”) 
- –chunk-size - The size of batch for update. 
- –LUNA_EVENTS_DB - Tag for setting LUNA_EVENTS_DB for pulling settings from luna-configurator. 
- –DATABASE_NUMBER - Tag for setting DATABASE_NUMBER for pulling settings from luna-configurator. 
- -v, –verbose - Enable debug logging 
The default option is to pull settings from the configuration file.
Warning
PLEASE MAKE SURE YOU MADE THE DB’s BACKUP BEFORE RUNNING SCRIPT.
To run the script:
export ENCRYPTION_ALGORITHM=aes256-gcm
export OLD_ENCRYPTION_KEY=B9pFvUkmaN7RFrr3HEC3U/VTHQcOaKTZ5flQyXwP5qo=
export NEW_ENCRYPTION_KEY=3gDyT4o+YlKLV4NZRjP/wznuhgxMI0mNNJWqc782Z9M=
python ./base_scripts/descriptors_encryption.py --config=./configs/myconfig.conf
OR
python ./base_scripts/descriptors_encryption.py --luna-config=http://127.0.0.1:5070/1 --LUNA_EVENTS_DB=EVENTS_DB
 --chunk-size=100000