User Service stores the PII data in the database in encrypted form. So whichever service is reading that data directly from the database will have to decrypt the data before responding to the user. As of now, to the best of our knowledge following services are reading the user data from the database:
User Service
Report Service
Searcher Service
Enc-Client Library is a supplementary library with features like masking, auditing, etc. The above services call the functions from the library to decrypt the data read from the database.
When any of these services reads the data from the database, it will be in encrypted form. Before responding to a request, they call the enc-client library to convert the data to plain/masked form. The data returned as part of the response should only be in plain/masked form. It should not contain any encrypted values. Detailed guidelines on how to write the necessary configurations are provided in Guidelines for supporting User Privacy in a module document.
This documents highlights the changes need to be done in a module to support the user privacy feature.
Prior Knowledge of Java/J2EE.
Prior Knowledge of Spring Boot.
MDMS Service
Encryption Service
Prior Knowledge of React Js / Javascript
Upgrade services-common library version.
Upgrade tracer library version.
After upgrading the above library version, there might be chance that an issue occur for RequestInfo creation because of change in variable type, please go through all java files including JUnit test cases before pushing the changes.
The above library version need to be upgraded in the dependant module also. For Example: If water service call the property service and property service is calling user service for owner details then the version of above library need to be upgraded in property service pom file also.
At service level or calculator service level where demand generation process take place, there payer details value must be pass in plain form. And these user details must get through SYSTEM user.
Create a system user in the particular environment and make sure that system user has role INTERNAL_MICROSERVICE_ROLE
. Use the curl mentioned below:
Do not create the system user with INTERNAL_MICROSERVICE_ROLE
if it is already existed. Use the UUID of that user, to get plain result data.
Mention the uuid of the system user in the environment file and in the application.properties file of service example:
Environment file:
egov-internal-microservice-user-uuid: b5b2ac70-d347-4339-98f0-5349ce25f99f
Application properties file:
egov.internal.microservice.user.uuid=b5b2ac70-d347-4339-98f0-5349ce25f99f
Create a method/ function which call the user search API to get the user details in plain form, in that call pass the userInfo of the user with INTERNAL_MICROSERVICE_ROLE
For reference follow the below code snippet
For the report where PII data is present and decryption is required, such report definition must have UUID values from user table in the query result.
And the Source column section of the report definition must have mention of the UUID column and for that entry, showColumn
flag should be set as false.
And the base sql query in the report config should be written in such a way that in the query it must have the user uuid.
In the config, for name: uuid Here replace uuid with the name of the column containing the user’s uuid in the query’s output.
Example:
In the report config where PII data is present and decryption is required, add this new filed in the report config decryptionPathId
. And in the Security Policy mdms file, must have the model configuration from the particular report. And the value of key model
in Security Policy mdms file and decryptionPathId
in a report must be same.
\
Example:-
For the searcher result where PII data is present and decryption is required, such searcher definition must have UUID values from user table in the query result. The base sql query in the searcher config should be written in such a way that in the query it must have the user uuid.
I searcher result, where data are coming from user table and to get those value in decrypted form, then in searcher config these following filed decryptionPathId
must be present. And the Security Policy mdms file, must have the model configuration from the particular searcher config. And the value of key model
in Security Policy mdms file and decryptionPathId
in searcher config must be same.\
For details information on Security Policy MDMS file refer this document.
To Do
Encryption Service is used to secure sensitive data that is being stored in the database. The encryption services uses envelope encryption.
Before you proceed with the documentation, make sure the following pre-requisites are met -
Java 17.
Kafka server is up and running.
Encryption Service offers following features :
Encrypt - The service will encrypt the data based on given input parameters and data to be encrypted. The encrypted data will be mandatorily of type string.
Decrypt - The decryption will happen solely based on the input data (any extra parameters are not required). The encrypted data will have identity of the key used at the time of encryption, the same key will be used for decryption.
Sign - Encryption Service can hash and sign the data which can be used as unique identifier of the data. This can also be used for searching gicen value from a datastore.
Verify - Based on the input sign and the claim, it can verify if the the given sign is correct for the provided claim.
Rotate Key - Encryption Service supports changing the key used for encryption. The old key will still remain with the service which will be used to decrypt old data. All the new data will be encrypted by the new key.
Following are the properties in application.properties file in egov-enc-service which are configurable.
The Encryption service is used to encrypt sensitive data that needs to be stored in the database. For each tenant, a different data encryption key (DEK) is used. The DEK is encrypted using Key Encryption Keys (KEK). Currently, there are two implementations of encrypting the data encryption keys available. The first one is using AWS KMS service and the second one is using a master password. For any custom implementation, the MasterKeyProvider interface in the service should be extended. Based on the master.password.provider flag in appication.properties you can enable which implementation of MasterKeyProvider interface to use
Can perform encryption without having to re-write encryption logic every time in every service.
To integrate, the host of encryption-services module should be overwritten in the helm chart.
/crypto/v1/_encrypt
should be added as an endpoint for encrypting input data in the system
/crypto/v1/_decrypt
should be added as the decryption endpoint.
/crypto/v1/_sign
should be added as the endpoint for providing a signature for a given value.
/crypto/v1/_verify
should be added as the endpoint for verifying whether the signature for the provided value is correct.
/crypto/v1/_rotatekey
should be added as an endpoint to deactivate the keys and generate new keys for a given tenant.
a) POST /crypto/v1/_encrypt
Encrypts the given input value/s OR values of the object.
b) POST /crypto/v1/_decrypt
Decrypts the given input value/s OR values of the object.
c) /crypto/v1/_sign
Provide signature for a given value.
d) POST /crypto/v1/_verify
Check if the signature is correct for the provided value.
e) POST /crypto/v1/_rotatekey
Deactivate the keys for the given tenant and generate new keys. It will deactivate both symmetric and asymmetric keys for the provided tenant.
The enc-client library is a supplementary java library provided to support encryption-related functionalities so that every service does not need to pre-process the request before calling the encryption service.
MDMS Service
Encryption Service
Kafka
The MDMS configurations explained below are fetched by this library at boot time. So after you make changes in the MDMS repo and restart the MDMS service, you would also need to RESTART THE SERVICE which has imported the enc-client library. For example, the report service is using the enc-client library so after making configuration changes to Security Policy pertaining to any report, you will have to restart the report service.
Encrypt a JSON Object - The encryptJson
function of the library takes any Java Object as an input and returns an object which has encrypted values of the selected fields. The fields to be encrypted are selected based on an MDMS Configuration.
This function requires the following parameters:
Java/JSON object - The oject whose fields will get encrypted.
Model - It is used to identify the MDMS configuration to be used to select fields of the provided object.
Tenant Id - The encryption key will be selected based on the passed tenantId.
Encrypt a Value - The encryptValue
function of the library can be used to encrypt single values. This method also required a tenantId parameter.
Decrypt a JSON Object - The decryptJson
function of the library takes any Java Object as an input and returns an object that has plain/masked or no values of the encrypted fields. The fields are identified based on the MDMS configuration. The returned value(plain/masked/null) of each of the attribute depends on the user’s role and if it is a PlainAccess
request or a normal request. These configurations are part of the MDMS.
This function required following parameters:
Java/JSON object - The object containing the encrypted values that are to be decrypted.
Model - It is used to select a configuration from the list of all available MDMS configurations.
Purpose - It is a string parameter that passes the reason of the decrypt request. It is used for Audit purposes.
RequestInfo - The requestInfo parameter serves multiple purposes:
User Role - A list of user roles are extracted from the requestInfo parameter.
PlainAccess Request - If the request is an explicit plain access request, it is to be passed as a part of the requestInfo. It will contain the fields that user is requesting for decryption and the id of record.
While decrypting Java object, this method also audits the request.
All the configurations related to enc-client library are stored in the MDMS. These master data are stored in DataSecurity
module. It has two types of configurations:
Masking Patterns
Security Policy
The masking patterns for different types of attributes(mobile number, name, etc.) are configurable in MDMS. It contains the following attributes:
patternId
- It is the unique pattern identifier. This id is referred to in the SecurityPolicy MDMS.
pattern
- This defines the actual pattern according to which the value will be masked.
The Security Policy master data contains the policy used to encrypt and decrypt JSON objects. Each of the Security Policy contains the following details:
model
- This is the unique identifier of the policy.
uniqueIdentifier
- The field defined here should uniquely identify records passed to the decryptJson
function.
attributes
- This defines a list of fields from the JSON object that needs to be secured.
roleBasedDecryptionPolicy
- This defines attribute-level role-based policy. It will define visibility for each attribute.
The visibility is an enum with the following options:
PLAIN - Show text in plain form.
MASKED - The returned text will contain masked data. The masking pattern will be applied as defined in the Masking Patterns master data.
NONE - The returned text will not contain any data. It would contain string like “Confidential Information”.
It defines what level of visibility should the decryptJson
function return for each attribute.
The Attribute defines a list of attributes of the model that are to be secured. The attribute is defined by the following parameters:
name
- This uniquely identifies the attribute out of the list of attributes for a given model.
jsonPath
- It is the json path of the attribute from the root of the model. This jsonPath is NOT the same as Jayway JsonPath library. This uses /
and *
to define the json paths.
patternId
- It refers to the pattern to be used for masking which is defined in the Masking Patterns master.
defaultVisibility
- It is an enum configuring the default level of visibility of that attribute. If the visibility is not defined for a given role, then this defaultVisibility will apply.
This parameter is used to define the unique identifier of that model. It is used for the purpose of auditing the access logs. (This attribute’s jsonPath should be at the root level of the model.)
It defines attribute-level access policies for a list of roles. It consists of the following parameters:
roles
- It defines a list of role codes for which the policy will get applied. Please make sure not to duplicate role codes anywhere in the other policy. Otherwise, any one of the policies will get chosen for that role code.
attributeAccessList
- It defines a list of attributes for which the visibility differs from the default for those roles.
There are two levels of visibility:
First level Visibility - It applies to normal search requests. The search response could have multiple records.
Second level Visibility - It is applied only when a user explicitly requests for plain access of a single record with a list of fields required in plain.
Second level visibility can be requested by passing plainAccessRequest
in the RequestInfo
.
Any user will be able to get plain access to the secured data(citizen’s PII) by requesting through the plainAccessRequest
parameter. It takes the following parameters:
recordId
- It is the unique identifier of the record that is requested for plain access.
fields
- It defines a list of attributes that are requested for plain access.
Every decrypt request is audited. Based on the uniqueIdentifier
defined as part of the Security Policy, it lists out the identifiers of the records that were decrypted as part of the request.
Each Audit Object contains the following attributes:
Property | Default Value | Remarks |
---|
the latest version of Encryption Service
Note: This video will give you an idea of how to deploy any Digit-service. Further you can find the latest builds for each service in out latest here.
Add mapping for API’s.
Title | Link |
---|
Here is a link to a sample master data.
To know more about regular expression refer the below articles To test regular expression refer the below link.
| asd@#$@$!132123 | Master password for encryption/ decryption. It can be any string. |
| qweasdzx | A salt is random data that is used as an additional input to a one-way function that hashes data, a password or passphrase. It needs to be an alphanumeric string of length 8. |
| qweasdzxqwea | An initialization vector is a fixed-size input to a cryptographic primitive. It needs to be an alphanumeric string of length 12. |
| 256 | Default size of Symmetric key. |
| 1024 | Default size of Asymmetric key. |
| 12 | Default size of Initial vector. |
| software | Name of the implementation to be used for encrypting DEKs |
NA | AWS access key to access the KMS service (Note: this field is required only if |
NA | AWS secret to access the KMS service (Note: this field is required only if |
NA | AWS region to access the KMS service (Note: this field is required only if |
NA | Id of the KMS key to be used for encrypting the DEK (Note: this field is required only if |
API Swagger Documentation |