Encryption Framework

Owned by PIPEFORCE
Last updated: Oct 25, 2023
2 min read

SINCE VERSION 9.0

What is the Encryption Framework?

PIPEFORCE encrypts sensitive data fully transparently and automatically wherever required since version 1.0. Since version 9.0, it additionally provides so-called crypto engines of different types that allow you to encrypt and decrypt data very effectively inside your workflows and can be implemented in a very secure way if required.

Keystore

If you're using PIPEFORCE as a cloud service, a random secure keystore is automatically provided to your instance. The keystore is generated in an encrypted wallet outside the PIPEFORCE cloud and is never persisted elsewhere. The keystore will also take part on key rotations which will take place in order to change the keys from time to time. So all setup for you by default in a most secure way.

Auto-encrypting properties

In order to store property values only in encrypted format in the property store, you have to set the parameter encrypted to true when you create the property schema using the command property.schema.put. For example:

pipeline: - property.schema.put: path: "global/app/myapp/data/secret" encrypted: true

When storing value to this property later using the command property.put this value is automatically encrypted using AES-256 with CBC mode before it gets stored to the database using the default access key of the platform. So you can be sure that the data is encrypted at rest.

Encrypting the value of a property this way increases security but also has some drawbacks caveats you have to be aware of:

  • You can no longer apply deep queries on JSON documents on encrypted property values.

  • Events with the properties as payload (for example, property.created or property.updated) will send the payload in messages that are also encrypted. So listeners to these events have limited access to this property.

  • In lists where a set of properties is returned, the encrypted property remains encrypted. So you could have a mixture of plain text and encrypted properties for example. You have to make sure to handle this in your application accordingly.

  • Once a property was set to encrypted:true it cannot be switched back to plain text.

  • The value is encrypted at rest but as soon as you load it with property.value.get, it will be provided non-encrypted format so it can be further processed by the pipeline.

Auto-decrypting properties

Once a property has been stored encrypted in the property store you can load and decrypt its value using the command property.value.get with parameter decrypt set to true. For example:

pipeline: - property.value.get: path: "global/app/myapp/data/secret" decrypt: true

In this case the property will be automatically decrypted using the default access key of the platform and then returned.

This is the only way to decrypt the value of the property. For performance and security reasons, it is not possible to 'mass-decrypt' properties returned in a list. For example by using the command property.get with a path pattern.

Custom encryption and decryption

You can also encrypt and decrypt data in PIPEFORCE using AES-256 in CBC mode by providing your encryption key. For this see the command data.encrypt and data.decrypt where you can set your custom key.

When using custom encryption and decryption you have to make sure by your own to manage the encryption keys securely.