Data encryption configuration in Jitterbit App Builder
Overview
App Builder uses data encryption for two purposes:
- Protecting security tokens such as session cookies
- Application-level, column encryption
Both use the same underlying data encryption technology. Specifically, they use ASP.Net Data Protection API. Although App Builder will attempt to configure the Data Protection library automatically, additional configuration may be necessary.
Data encryption keys
Data Encryption Keys (DEKs) are symmetric encryption keys used to protect data. App Builder supports multiple, configurable key storage and encryption policies. Administrators must choose the appropriate policies for their environment.
Storage
App Builder supports the following key storage policies:
- File system, either local or network share
- Database
- Amazon Web Services (AWS) S3
- AWS Systems Manager Parameter Store
Encryption
Depending on the storage location, administrators should consider encrypting keys. App Builder supports the following key encryption policies:
- Certificate
- AWS Key Management Service
Configuration
Key storage and encryption policies are configured on startup. Configuration can be supplied using the appsettings.json file:
{
"DataEncryption": {
"KeyStorage": "FileSystem",
"KeyEncryption": "None"
}
}
Configuration can also be supplied by environment variables:
export DATAENCRYPTION__KEYSTORAGE=FileSystem
export DATAENCRYPTION__KEYENCRYPTION=None
See Configuring App Builder on startup for additional information.
Storage
File system
By default, App Builder will store keys on the file system as plain text. They are stored in the keys directory beneath the App Builder installation directory.
Settings
Setting | Example | Notes |
---|---|---|
KeyStorage | FileSystem | Indicates that App Builder should store keys on the file system. This is the default policy. |
Directory | keys | Identifies the directory in which keys will be stored. Defaults to the keys directory beneath the App Builder installation directory. The App Builder process must have full control of this directory. On Windows, this is achieved by granting the IIS application pool user permission. |
Example
{
"DataEncryption": {
"KeyStorage": "FileSystem",
"Directory": "keys"
}
}
Database
Keys can be stored in the App Builder database. Note that, because the keys are used to encrypt data that's also stored in the database, the keys themselves should be encrypted.
Settings
Setting | Example | Notes |
---|---|---|
KeyStorage | Database | Indicates that App Builder should store keys in the App Builder database. |
Example
{
"DataEncryption": {
"KeyStorage": "Database",
"KeyEncryption": "Certificate",
"Certificate": "...base64-encoded...",
"CertificatePassword": "password"
}
}
AWS S3
EC2 instance local storage is not typically used for long-term persistence. As an alternative, App Builder supports storing keys in S3 buckets.
Settings
Setting | Example | Notes |
---|---|---|
KeyStorage | S3 | Indicates that App Builder should store keys in an AWS S3 bucket. |
S3BucketEndpoint | https://s3.amazonaws.com/vinyl-data-encryption-keys -or- https://vinyl-data-encryption-keys.s3.amazonaws.com/ | Identifies the AWS region and S3 bucket in which S3 keys will be stored. The URL must take one of the following forms:
|
S3KeyPrefix | dev | Optional. Allows multiple environments to store keys in the same bucket, isolating the keys by prefix. |
Example
{
"DataEncryption": {
"KeyStorage": "S3",
"S3BucketEndpoint": "https://{bucket}.s3{-aws-region}.amazonaws.com",
"S3KeyPrefix": "production"
}
}
AWS systems manager parameter store
EC2 instance local storage is not typically used for long-term persistence. As an alternative, keys can be stored in AWS Systems Manager Parameter Store. Keys stored in Parameter Store can be encrypted using Key Management Service (KMS).
Settings
Setting | Example | Notes |
---|---|---|
KeyStorage | ParameterStore | Indicates that App Builder should store keys in AWS Systems Manager Parameter Store. |
ParameterNamePrefix | /production | Isolates keys by prefix. |
KmsKeyId | arn:aws:kms:us-east-1:1234567890:key/1234abcd-12ab-34cd-56ef-1234567890ab | Optional. Identifies the KMS key that should be used to encrypt keys. The value should take the form of an Amazon Resource Name (ARN). |
Example
{
"DataEncryption": {
"KeyStorage": "ParameterStore",
"ParameterNamePrefix": "/production",
"KmsKeyId": "arn:aws:kms:us-east-1:1234567890:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
}
Encryption
None
By default, App Builder does not encrypt keys. However, keys may be encrypted transparently based on the storage policy. For example, an S3 bucket can be configured to encrypt all data.
Settings
Setting | Example | Notes |
---|---|---|
KeyEncryption | None | Indicates that keys should be stored in plain text. |
Example
{
"DataEncryption": {
"KeyStorage": "FileSystem",
"KeyEncryption": "None"
}
}
Certificate
Keys can be encrypted using an X.509 certificate.
Settings
Setting | Example | Notes |
---|---|---|
KeyEncryption | Certificate | Indicates that keys should be encrypted using an X.509 certificate. Administrators must supply either Certificate or CertificateThumbprint. |
Certificate | X.509 certificate. Certificate must be supplied as a base64-encoded, PKCS#12 (PFX) with private key. Requires CertificatePassword. | |
CertificatePassword | X.509 certificate password. | |
CertificateThumbprint | X.509 certificate thumbprint. App Builder will attempt to load the certificate from the Local Computer account Personal certificate store. |
Example
{
"DataEncryption": {
"KeyStorage": "FileSystem",
"CertificateThumbprint": "C123B3E899807189F11F0EC4AC320760F00ECE34"
}
}
AWS key management service
App Builder can be configured to encrypt keys using AWS Key Management Service (KMS).
Settings
Setting | Example | Notes |
---|---|---|
KeyEncryption | Kms | Indicates that App Builder should encrypt keys with AWS KMS. |
KmsKeyId | arn:aws:kms:us-east-1:1234567890:key/1234abcd-12ab-34cd-56ef-1234567890ab | Identifies the KMS key which should be used to encrypt keys. The value should take the form of an Amazon Resource Name (ARN). |
Example
{
"DataEncryption": {
"KeyStorage": "Database",
"KeyEncryption": "Kms",
"KmsKeyId": "arn:aws:kms:us-east-1:1234567890:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
}
Amazon Web Services
S3 bucket policy
When storing encryption keys in an S3 bucket, consider using a role policy to grant the EC2 instance access to the bucket.
Example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::{bucket-name}/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "*"
}
]
}
KMS key policy
When encrypting keys with KMS, consider using a role policy to grant the EC3 instance access to the key.
Example
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-west-2:1234567890:key/1234abcd-12ab-34cd-56ef-1234567890ab"
]
}
}
Elastic Beanstalk
App Builder ships with a .ebextensions script which automatically registers the environment properties.
Defaults
The default Elastic Beanstalk configuration varies based on the version of App Builder.
Setting | 3.2 and Lower | 3.3 and Higher |
---|---|---|
KeyStorage | S3 | Database |
S3BucketEndpoint | https://{bucket}.s3{-aws-region}.amazonaws.com | |
S3BucketPrefix | {elastic-beanstalk-environment-name} | |
KeyEncryption | Kms | |
KmsKeyId | {kms-key-arn} |
Caution
App Builder will not start with the default Elastic Beanstalk environment properties. Administrators must change the KmsKeyId or choose an alternate key encryption policy.
Cryptography providers
App Builder is a .NET application. In .NET, cryptographic algorithm implementations may be supplied by one of three cryptography providers.
- Crypto Service Provider (CSP) - The Crypto Service Provider is a wrapper around the Windows Cryptography API (CAPI). CAPI has been deprecated. This provider is therefore not supported.
- Cryptography Next Generation (CNG) - Algorithms implemented by the CNG provider are typically FIPS compliant. This is the default cryptography provider.
- Managed - Algorithms implemented by this provider are not typically FIPS compliant. They may be slower than equivalent CNG implementations. However, managed implementations are shipped with .NET and are therefore available on all platforms.
Settings
Setting | Example | Notes |
---|---|---|
CryptoProvider | Cng | Determines the crypto provider. Valid values include:
|
Example
{
"DataEncryption": {
"CryptoProvider": "Managed"
}
}
Import
Data encryption keys can be imported on startup. Typically, this is done to migrate keys from one storage location to another. Keys will be decrypted and encrypted in the process.
Settings
Setting | Example | Notes |
---|---|---|
Import | Alternate set of key storage and encryption policies. |
Example
{
"DataEncryption": {
"KeyStorage": "Database",
"KeyEncryption": "Certificate",
"Certificate": "...base64-encoded...",
"CertificatePassword": "password",
"Import": {
"KeyStorage": "FileSystem",
"Directory": "keys"
}
}
}