Data Encryption Configuration¶
Overview¶
Vinyl uses data encryption for two purposes:
- Protecting security tokens such as session cookies
- Application-level, column encryption
Both use the same underlying data encryption technology. Specifically, they use ASP.Net Data Protection API. Although Vinyl will attempt to configure the Data Protection library automatically, additional configuration may be necessary.
Note
This article applies to Vinyl 3.1 and later versions. Features that are version-specific are notated**. See the Data Encryption Configuration article for Vinyl 3.0 and earlier.
Data Encryption Keys¶
Data Encryption Keys (DEKs) are symmetric encryption keys used to protect data. Vinyl supports multiple, configurable key storage and encryption policies. Administrators must choose the appropriate policies for their environment.
Storage¶
Vinyl supports the following key storage policies:
- File system, either local or network share
- Database (3.3)
- Amazon Web Services (AWS) S3
- AWS Systems Manager Parameter Store (3.2)
Encryption¶
Depending on the storage location, administrators should consider encrypting keys. Vinyl supports the following key encryption policies:
- Certificate
- AWS Key Management Service
Configuration¶
Key storage and encryption policies are configured on startup. Configuration can be supplied using the appsettings.json file:
{
"DataEncryption": {
"KeyStorage": "FileSystem",
"KeyEncryption": "None"
}
}
Configuration can also be supplied by environment variables:
export DATAENCRYPTION__KEYSTORAGE=FileSystem
export DATAENCRYPTION__KEYENCRYPTION=None
See Configuring Vinyl on Startup for additional information.
Storage¶
File System¶
By default, Vinyl will store keys on the file system as plain text. They are stored in the keys directory beneath the Vinyl installation directory.
Settings¶
Setting | Example | Notes |
---|---|---|
KeyStorage | FileSystem | Indicates that Vinyl should store keys on the file system. This is the default policy. |
Directory | keys | Identifies the directory in which keys will be stored. Defaults to the keys directory beneath the Vinyl installation directory. The Vinyl process must have full control of this directory. On Windows, this is achieved by granting the IIS application pool user permission. |
Example¶
{
"DataEncryption": {
"KeyStorage": "FileSystem",
"Directory": "keys"
}
}
Database¶
Keys can be stored in the Vinyl database. Note that, because the keys are used to encrypt data that's also stored in the database, the keys themselves should be encrypted.
Settings¶
Setting | Example | Notes |
---|---|---|
KeyStorage | Database | Indicates that Vinyl should store keys in the Vinyl database. |
Example¶
{
"DataEncryption": {
"KeyStorage": "Database",
"KeyEncryption": "Certificate",
"Certificate": "...base64-encoded...",
"CertificatePassword": "password"
}
}
AWS S3¶
EC2 instance local storage is not typically used for long-term persistence. As an alternative, Vinyl supports storing keys in S3 buckets.
Settings¶
Example¶
{
"DataEncryption": {
"KeyStorage": "S3",
"S3BucketEndpoint": "https://{bucket}.s3{-aws-region}.amazonaws.com",
"S3KeyPrefix": "production"
}
}
AWS Systems Manager Parameter Store¶
EC2 instance local storage is not typically used for long-term persistence. As an alternative, keys can be stored in AWS Systems Manager Parameter Store. Keys stored in Parameter Store can be encrypted using Key Management Service (KMS).
Settings¶
Setting | Example | Notes |
---|---|---|
KeyStorage | ParameterStore | Indicates that Vinyl should store keys in AWS Systems Manager Parameter Store. |
ParameterNamePrefix | /production | Isolates keys by prefix. |
KmsKeyId | arn:aws:kms:us-east-1:1234567890:key/1234abcd-12ab-34cd-56ef-1234567890ab | Optional. Identifies the KMS key that should be used to encrypt keys. The value should take the form of an Amazon Resource Name (ARN). |
Example¶
{
"DataEncryption": {
"KeyStorage": "ParameterStore",
"ParameterNamePrefix": "/production",
"KmsKeyId": "arn:aws:kms:us-east-1:1234567890:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
}
Encryption¶
None¶
By default, Vinyl does not encrypt keys. However, keys may be encrypted transparently based on the storage policy. For example, an S3 bucket can be configured to encrypt all data.
Settings¶
Setting | Example | Notes |
---|---|---|
KeyEncryption | None | Indicates that keys should be stored in plain text. |
Example¶
{
"DataEncryption": {
"KeyStorage": "FileSystem",
"KeyEncryption": "None"
}
}
Certificate¶
Keys can be encrypted using an X.509 certificate.
Settings¶
Setting | Example | Notes |
---|---|---|
KeyEncryption | Certificate | Indicates that keys should be encrypted using an X.509 certificate. Administrators must supply either Certificate or CertificateThumbprint. |
Certificate | X.509 certificate. Certificate must be supplied as a base64-encoded, PKCS#12 (PFX) with private key. Requires CertificatePassword. | |
CertificatePassword | X.509 certificate password. | |
CertificateThumbprint | X.509 certificate thumbprint. Vinyl will attempt to load the certificate from the Local Computer account Personal certificate store. |
Example¶
{
"DataEncryption": {
"KeyStorage": "FileSystem",
"CertificateThumbprint": "C123B3E899807189F11F0EC4AC320760F00ECE34"
}
}
AWS Key Management Service¶
Vinyl can be configured to encrypt keys using AWS Key Management Service (KMS).
Settings¶
Setting | Example | Notes |
---|---|---|
KeyEncryption | Kms | Indicates that Vinyl should encrypt keys with AWS KMS. |
KmsKeyId | arn:aws:kms:us-east-1:1234567890:key/1234abcd-12ab-34cd-56ef-1234567890ab | Identifies the KMS key which should be used to encrypt keys. The value should take the form of an Amazon Resource Name (ARN). |
Example¶
{
"DataEncryption": {
"KeyStorage": "Database",
"KeyEncryption": "Kms",
"KmsKeyId": "arn:aws:kms:us-east-1:1234567890:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
}
Amazon Web Services¶
S3 Bucket Policy¶
When storing encryption keys in an S3 bucket, consider using a role policy to grant the EC2 instance access to the bucket.
Example¶
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::{bucket-name}/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "*"
}
]
}
KMS Key Policy¶
When encrypting keys with KMS, consider using a role policy to grant the EC3 instance access to the key.
Example¶
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-west-2:1234567890:key/1234abcd-12ab-34cd-56ef-1234567890ab"
]
}
}
Elastic Beanstalk¶
Vinyl ships with a .ebextensions script which automatically registers the environment properties.
Defaults¶
The default Elastic Beanstalk configuration varies based on the version of Vinyl.
Setting | 3.2 and Lower | 3.3 and Higher |
---|---|---|
KeyStorage | S3 | Database |
S3BucketEndpoint | https://{bucket}.s3{-aws-region}.amazonaws.com | |
S3BucketPrefix | {elastic-beanstalk-environment-name} | |
KeyEncryption | Kms | |
KmsKeyId | {kms-key-arn} |
Caution
Vinyl will not start with the default Elastic Beanstalk environment properties. Administrators must change the KmsKeyId or choose an alternate key encryption policy.
Cryptography Providers¶
Vinyl is a .NET application. In .NET, cryptographic algorithm implementations may be supplied by one of three cryptography providers.
- Crypto Service Provider (CSP) - The Crypto Service Provider is a wrapper around the Windows Cryptography API (CAPI). CAPI has been deprecated. This provider is therefore not supported.
- Cryptography Next Generation (CNG) - Algorithms implemented by the CNG provider are typically FIPS compliant. This is the default cryptography provider.
- Managed - Algorithms implemented by this provider are not typically FIPS compliant. They may be slower than equivalent CNG implementations. However, managed implementations are shipped with .NET and are therefore available on all platforms.
Settings¶
Setting | Example | Notes |
---|---|---|
CryptoProvider | Cng | Determines the crypto provider. Valid values include:
|
Example¶
{
"DataEncryption": {
"CryptoProvider": "Managed"
}
}
Import¶
Data encryption keys can be imported on startup. Typically, this is done to migrate keys from one storage location to another. Keys will be decrypted and encrypted in the process.
Settings¶
Setting | Example | Notes |
---|---|---|
Import | Alternate set of key storage and encryption policies. |
Example¶
{
"DataEncryption": {
"KeyStorage": "Database",
"KeyEncryption": "Certificate",
"Certificate": "...base64-encoded...",
"CertificatePassword": "password",
"Import": {
"KeyStorage": "FileSystem"
"Directory": "keys"
}
}
}