Data Encryption Configuration¶

Vinyl uses data encryption for two purposes:

Protecting security tokens such as session cookies.
Application-level, column encryption.

Both use the same underlying data encryption technology. Specifically, they use ASP.Net Data Protection API. Although Vinyl will attempt to configure the Data Protection library automatically, additional configuration may be necessary.

Note

This article applies to Vinyl 3.0 and earlier versions. See the Data Encryption Configuration article for Vinyl 3.1+.

Data Encryption Key Storage¶

Data Encryption Keys (DEKs) are symmetric encryption keys used to protect data. Because DEKs are used to encrypt data stored in the database, the DEKs themselves cannot be stored in the database. Vinyl supports multiple, configurable DEK storage policies. Administrators must choose the appropriate storage policy for their environment. Vinyl supports the following storage policies:

File system
S3

The storage policy is configured via AppSettings. See Custom .Net Configuration for additional information on AppSettings.

File System Storage¶

In Vinyl 3.1+ Data Encryption is configured in AppSettings.json.

Setting	Example	Notes
DataEncryptionKeyStorage	FileSystem	Indicates that Vinyl should store DEKs on the file system. This is the default value.
DataEncryptionKeyDirectory	C:\inetpub\wwwroot\Vinyl\App_Data\Keys	Identifies the directory in which DEKs will be stored. Defaults to the App_Data\Keys directory, beneath the Vinyl installation directory. The application pool user must have full control of this directory.
KeyEncryptionKeyCertificateThumbprint	C123B3E899807189F11F0EC4AC320760F00ECE34	Optional. X.509 thumbprint of the Key Encryption Key (KEK). The KEK certificate should be registered in the Personal certificate store for the Local Computer. The thumbprint can be found by looking at the certificate properties.

Example AppSettings Configuration¶

<?xml version="1.0" encoding="utf-8" ?>
<appSettings>
  <add key="DataEncryptionKeyStorage" value="FileSystem" />
  <add key="DataEncryptionKeyDirectory" value="C:\inetpub\wwwroot\Vinyl\App_Data\Keys" />
  <add key="KeyEncryptionKeyCertificateThumbprint" value="C123B3E899807189F11F0EC4AC320760F00ECE34" />
</appSettings>

Amazon S3 Storage¶

Because EC2 instance local storage cannot be used for long-term storage, DEKs must be stored elsewhere. Vinyl supports storing DEKs in S3 buckets. The following settings configure S3 DEK storage.

Setting	Example	Notes
DataEncryptionKeyStorage	S3	Indicates that Vinyl should store DEKs on Amazon S3.
DataEncryptionKeyS3BucketEndpoint	https://s3.amazonaws.com/vinyl-data-encryption-keys -or- https://vinyl-data-encryption-keys.s3.amazonaws.com/	Identifies the AWS region and S3 bucket in which S3 keys will be stored. The URL must take one of the following forms: `https://s3{-aws-region}.amazonaws.com/{bucket}` `https://{bucket}.s3{-aws-region}.amazonaws.com` For more information, see the following document: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html
DataEncryptionKeyS3KeyPrefix	dev	Optional. Allows multiple environments to store DEKs in the same bucket, isolating the keys by prefix.

Example AppSettings.json Configuration¶

<?xml version="1.0" encoding="utf-8" ?>
<appSettings>
  <add key="DataEncryptionKeyStorage" value="FileSystem" />
  <add key="DataEncryptionKeyDirectory" value="C:\inetpub\wwwroot\Vinyl\App_Data\Keys" />
  <add key="KeyEncryptionKeyCertificateThumbprint" value="C123B3E899807189F11F0EC4AC320760F00ECE34" />
</appSettings>

Elastic Beanstalk configuration¶

Vinyl ships with a .ebextensions script which automatically registers the environment properties for S3 DEK storage.

Caution

Vinyl will not start with the default Elastic Beanstalk environment properties. You must change the DataEncryptionKeyS3BucketEndpoint and DataEncryptionKeyS3KeyPrefix values.

Granting Elastic Beanstalk environments access to S3 buckets¶

Storing access keys on the web server is inadvisable.

http://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.html

EC2 instances within an Elastic Beanstalk environment are assigned to a role. Consider using role policies to grant EC2 instances access to an S3 bucket. The following example policy grants access to an S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::{bucket-name}/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "*"
        }
    ]
}

Cryptography Providers¶

In .Net, cryptographic algorithm implementations may be supplied by one of three cryptography providers.

Crypto Service Provider (CSP) - The Crypto Service Provider is a wrapper around the Windows Cryptography API (CAPI). CAPI has been deprecated. This provider is therefore not supported.
Cryptography Next Generation (CNG) - Algorithms implemented by the CNG provider are typically FIPS compliant. However, CNG is not fully supported on Windows Server 2008. This is the default cryptography provider.
Managed - Algorithms implemented by this provider are not typically FIPS compliant. They may be slower than equivalent CNG implementations. However, managed implementations are shipped with the .Net Framework and are therefore available on all platforms.

The cryptography provider is configured via AppSettings.json.

Example AppSettings Configuration¶

<?xml version="1.0" encoding="utf-8" ?>
<appSettings>
    <add key="DataEncryptionCryptoProvider" value="Managed" />
</appSettings>