Skip to content

Comments

Support multiple and pluggable content encryption keys and encryption algorithms#2240

Merged
paulcwarren merged 12 commits intopaulcwarren:mainfrom
vierbergenlars:encryption-refactor
Feb 6, 2025
Merged

Support multiple and pluggable content encryption keys and encryption algorithms#2240
paulcwarren merged 12 commits intopaulcwarren:mainfrom
vierbergenlars:encryption-refactor

Conversation

@vierbergenlars
Copy link
Contributor

@vierbergenlars vierbergenlars commented Jan 21, 2025

This refactors the content encryption module to support:

  1. Plugging in encryption strategies for data encryption keys (e.g using AWS KMS or Hashicorp Vault, ...)
  2. Plugging in different storage strategies for encrypted data encryption keys (e.g. in the entity table or in a separate storage table)
  3. Storing multiple encrypted data encryption keys, encrypted with different services or keys
  4. Plugging in different symmetric content encryption algorithms (e.g. AES-CTR)

Provided implementations:

  1. Encrypting data encryption keys using Hashicorp Vault (using the transit engine)
  2. Not encrypting data encryption keys
  3. Storage of encrypted data encryption keys as a byte[] field in the entity next to the content property, with any custom suffix
  4. Encrypting content using AES-CTR, while supporting byte-range partial content requests

@vierbergenlars
Refactor content encryption into pluggable components
6af316d
@vierbergenlars
Extend possible configuration for EncryptingContentStore
cf5264e 
Allow configuration of all pluggable components and provide default values when nothing is configured
@vierbergenlars
Update documentation to reference swappable components
b06498a
@vierbergenlars
Add encryption of DEKs with vault
da5524d
@vierbergenlars
Add test for AesCtrEncryptionEngine
4c6bc70
@vierbergenlars
Add tests for StoredDataEncryptionKey data conversions
97cecec
@vierbergenlars
Add integration tests with a DataEncryptionKeyWrapper that does not d…
0d41e10 
…ecrypt
@vierbergenlars
Move implementation of addKey/removeKey methods to DataEncryptionKeyA…
2a141b2 
…ccessor interface
@vierbergenlars
Add integration test using custom DataEncryptionKeyAccessor
5e29104 
We need to ensure that the accessor is able to read the content property from the entity before it is removed/after it is created.
This is necessary to have custom key accessors work, so they can store the encryption key somewhere other than the entity itself,
for example based on the content id
@vierbergenlars
Move VaultTransitDataEncryptionKeyWrapper to public API
bc942a7 
This DataEncryptionKeyWrapper object needs to be instanciated by users to use vault encryption, so it should not be in the internal package
vierbergenlars added a commit to vierbergenlars/spring-content-gettingstarted that referenced this pull request Jan 21, 2025
@vierbergenlars
Update encryption example for updated encryption module
ec12893 
The encryption module has been updated in paulcwarren/spring-content#2240
@vierbergenlars vierbergenlars mentioned this pull request Jan 21, 2025
Merged
@vierbergenlars
Copy link
Contributor Author

vierbergenlars commented Jan 21, 2025

Note that builds against the getting-started repo are failing due to a refactor of the encryption classes. (I have opened a PR there to update the example as well)
The normal unit & integration tests are passing.

@paulcwarren
reset gettingstarted branch
ebb85dd 
- gettingstarted PR now merged
@paulcwarren paulcwarren merged commit aebb709 into paulcwarren:main Feb 6, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vierbergenlars @paulcwarren