This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Encrypt and decrypt sensitive data in a source

pavan
Former Employee

โ€Ž10-22-2018 02:10 PM

Created by @pavan

This pipeline pattern will encrypt fields passed as JSON docs using a defined transform type (AES), and decrypts and gives back the original message. This pattern is useful for encrypting sensitive messages (credit card info, SSN, patients name, DOB etc).

encrypt-decrypt

Configuration

Within the JSON Generator, replace โ€œEnter certificate hereโ€ with your own certificate.

Sources: JSON
Targets: JSON
Snaps used: JSON Generator, Encrypt Field, Mapper, Decrypt Field

Downloads

Encrypt & Decrypt Fields.slp (9.1 KB)

Encrypt & Decrypt Fields.slp
0 Kudos
6 REPLIES 6

andrew_holbrook
New Contributor III

โ€Ž10-23-2018 03:31 PM

@pavan Once encrypted, do I need to pass all the information onward? Is it a security risk to do so?

ENC {
  "transformation":"AES/CBC/PKCS5Padding",
  "iv":"[MYIV]",
  "type":"STRING",
  "ciphertext":"[MYCIPHERTEXT==]",
  "key_params":  {
    "passphrase":  {
      "key_gen_iterations":10000,
      "key_gen_algorithm":"[ALGORITHM]",
      "key_algorithm":"AES",
      "key_salt":"[SALTKEY]",
      "key_size":128
    }
  }
}:ENC
0 Kudos

tstack
Former Employee
In response to andrew_holbrook

โ€Ž10-23-2018 03:57 PM

Yes, the information is needed to correctly decrypt the ciphertext.

No, itโ€™s okay to send the IV in the clear and the rest of the information is used to configure the decryption process.

Deepak
New Contributor II
In response to tstack

โ€Ž07-14-2019 11:21 PM

@tstack I have a similar scenario. Please read through the steps.

  1. We are using Encryption & Decryption in 2 seperate ultra pipelines, where first pipeline would encrypt the password field and send this data to second pipeline & the second pipeline would decrypt the data and use it.
  2. The problem is we are giving away key information like Type Of Algorithm, IV, Key_SALT over the internet along with the Ciphertext which is a security concern.
  3. Our design has to have 2 seperate ultra pipelines & not pipeline execute as its an architectural decision.

How can we achieve decrypting the field, without giving away these key attributes?

0 Kudos

tstack
Former Employee
In response to Deepak

โ€Ž07-15-2019 06:58 AM

These values are not secrets, so I donโ€™t think there should be a problem.

Can I ask what is driving the decision to not use PipeExec?

0 Kudos