Data Encryption Configuration¶
Vinyl uses data encryption for two purposes:
- Protecting security tokens such as session cookies.
- Application-level, column encryption.
Both use the same underlying data encryption technology. Specifically, they use ASP.Net Data Protection API. Although Vinyl will attempt to configure the Data Protection library automatically, additional configuration may be necessary.
Note
This article applies to Vinyl 3.0 and earlier versions. See the Data Encryption Configuration article for Vinyl 3.1+.
Data Encryption Key Storage¶
Data Encryption Keys (DEKs) are symmetric encryption keys used to protect data. Because DEKs are used to encrypt data stored in the database, the DEKs themselves cannot be stored in the database. Vinyl supports multiple, configurable DEK storage policies. Administrators must choose the appropriate storage policy for their environment. Vinyl supports the following storage policies:
- File system
- S3
The storage policy is configured via AppSettings. See Custom .Net Configuration for additional information on AppSettings.
File System Storage¶
In Vinyl 3.1+ Data Encryption is configured in AppSettings.json.
Setting | Example | Notes |
---|---|---|
DataEncryptionKeyStorage | FileSystem | Indicates that Vinyl should store DEKs on the file system. This is the default value. |
DataEncryptionKeyDirectory | C:\inetpub\wwwroot\Vinyl\App_Data\Keys | Identifies the directory in which DEKs will be stored. Defaults to the App_Data\Keys directory, beneath the Vinyl installation directory. The application pool user must have full control of this directory. |
KeyEncryptionKeyCertificateThumbprint | C123B3E899807189F11F0EC4AC320760F00ECE34 | Optional. X.509 thumbprint of the Key Encryption Key (KEK). The KEK certificate should be registered in the Personal certificate store for the Local Computer. The thumbprint can be found by looking at the certificate properties. |
Example AppSettings Configuration¶
<?xml version="1.0" encoding="utf-8" ?>
<appSettings>
<add key="DataEncryptionKeyStorage" value="FileSystem" />
<add key="DataEncryptionKeyDirectory" value="C:\inetpub\wwwroot\Vinyl\App_Data\Keys" />
<add key="KeyEncryptionKeyCertificateThumbprint" value="C123B3E899807189F11F0EC4AC320760F00ECE34" />
</appSettings>
Amazon S3 Storage¶
Because EC2 instance local storage cannot be used for long-term storage, DEKs must be stored elsewhere. Vinyl supports storing DEKs in S3 buckets. The following settings configure S3 DEK storage.
Setting | Example | Notes |
---|---|---|
DataEncryptionKeyStorage | S3 | Indicates that Vinyl should store DEKs on Amazon S3. |
DataEncryptionKeyS3BucketEndpoint | https://s3.amazonaws.com/vinyl-data-encryption-keys -or- https://vinyl-data-encryption-keys.s3.amazonaws.com/ | Identifies the AWS region and S3 bucket in which S3 keys will be stored. The URL must take one of the following forms:
|
DataEncryptionKeyS3KeyPrefix | dev | Optional. Allows multiple environments to store DEKs in the same bucket, isolating the keys by prefix. |
Example AppSettings.json Configuration¶
<?xml version="1.0" encoding="utf-8" ?>
<appSettings>
<add key="DataEncryptionKeyStorage" value="FileSystem" />
<add key="DataEncryptionKeyDirectory" value="C:\inetpub\wwwroot\Vinyl\App_Data\Keys" />
<add key="KeyEncryptionKeyCertificateThumbprint" value="C123B3E899807189F11F0EC4AC320760F00ECE34" />
</appSettings>
Elastic Beanstalk configuration¶
Vinyl ships with a .ebextensions script which automatically registers the environment properties for S3 DEK storage.
Caution
Vinyl will not start with the default Elastic Beanstalk environment properties. You must change the DataEncryptionKeyS3BucketEndpoint
and DataEncryptionKeyS3KeyPrefix
values.
Granting Elastic Beanstalk environments access to S3 buckets¶
Storing access keys on the web server is inadvisable.
EC2 instances within an Elastic Beanstalk environment are assigned to a role. Consider using role policies to grant EC2 instances access to an S3 bucket. The following example policy grants access to an S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::{bucket-name}/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "*"
}
]
}
Cryptography Providers¶
In .Net, cryptographic algorithm implementations may be supplied by one of three cryptography providers.
- Crypto Service Provider (CSP) - The Crypto Service Provider is a wrapper around the Windows Cryptography API (CAPI). CAPI has been deprecated. This provider is therefore not supported.
- Cryptography Next Generation (CNG) - Algorithms implemented by the CNG provider are typically FIPS compliant. However, CNG is not fully supported on Windows Server 2008. This is the default cryptography provider.
- Managed - Algorithms implemented by this provider are not typically FIPS compliant. They may be slower than equivalent CNG implementations. However, managed implementations are shipped with the .Net Framework and are therefore available on all platforms.
The cryptography provider is configured via AppSettings.json.
Example AppSettings Configuration¶
<?xml version="1.0" encoding="utf-8" ?>
<appSettings>
<add key="DataEncryptionCryptoProvider" value="Managed" />
</appSettings>