Skip to Content

Data Encryption Configuration

Overview

Vinyl uses data encryption for two purposes:

  • Protecting security tokens such as session cookies
  • Application-level, column encryption

Both use the same underlying data encryption technology. Specifically, they use ASP.Net Data Protection API. Although Vinyl will attempt to configure the Data Protection library automatically, additional configuration may be necessary.

Note

This article applies to Vinyl 3.1 and later versions. Features that are version-specific are notated**. See the Data Encryption Configuration article for Vinyl 3.0 and earlier.

Data Encryption Keys

Data Encryption Keys (DEKs) are symmetric encryption keys used to protect data. Vinyl supports multiple, configurable key storage and encryption policies. Administrators must choose the appropriate policies for their environment.

Storage

Vinyl supports the following key storage policies:

  • File system, either local or network share
  • Database (3.3)
  • Amazon Web Services (AWS) S3
  • AWS Systems Manager Parameter Store (3.2)

Encryption

Depending on the storage location, administrators should consider encrypting keys. Vinyl supports the following key encryption policies:

  • Certificate
  • AWS Key Management Service

Configuration

Key storage and encryption policies are configured on startup. Configuration can be supplied using the appsettings.json file:

{
  "DataEncryption": {
    "KeyStorage": "FileSystem",
    "KeyEncryption": "None"
  }
}

Configuration can also be supplied by environment variables:

export DATAENCRYPTION__KEYSTORAGE=FileSystem
export DATAENCRYPTION__KEYENCRYPTION=None

See Configuring Vinyl on Startup for additional information.

Storage

File System

By default, Vinyl will store keys on the file system as plain text. They are stored in the keys directory beneath the Vinyl installation directory.

Settings
Setting Example Notes
KeyStorage FileSystem Indicates that Vinyl should store keys on the file system. This is the default policy.
Directory keys Identifies the directory in which keys will be stored. Defaults to the keys directory beneath the Vinyl installation directory. The Vinyl process must have full control of this directory. On Windows, this is achieved by granting the IIS application pool user permission.
Example
{
  "DataEncryption": {
     "KeyStorage": "FileSystem",
     "Directory": "keys"
  }
}

Database

Keys can be stored in the Vinyl database. Note that, because the keys are used to encrypt data that's also stored in the database, the keys themselves should be encrypted.

Settings
Setting Example Notes
KeyStorage Database Indicates that Vinyl should store keys in the Vinyl database.
Example
{
  "DataEncryption": {
     "KeyStorage": "Database",
     "KeyEncryption": "Certificate",
     "Certificate": "...base64-encoded...",
     "CertificatePassword": "password"
  }
}

AWS S3

EC2 instance local storage is not typically used for long-term persistence. As an alternative, Vinyl supports storing keys in S3 buckets.

Settings
Setting Example Notes
KeyStorage S3 Indicates that Vinyl should store keys in an AWS S3 bucket.
S3BucketEndpoint https://s3.amazonaws.com/vinyl-data-encryption-keys
-or-
https://vinyl-data-encryption-keys.s3.amazonaws.com/ 		Identifies the AWS region and S3 bucket in which S3 keys will be stored. The URL must take one of the following forms:
  • https://s3{-aws-region}.amazonaws.com/{bucket}
  • https://{bucket}.s3{-aws-region}.amazonaws.com
For more information, see the following document:
S3KeyPrefix dev Optional. Allows multiple environments to store keys in the same bucket, isolating the keys by prefix.
Example
{
  "DataEncryption": {
     "KeyStorage": "S3",
     "S3BucketEndpoint": "https://{bucket}.s3{-aws-region}.amazonaws.com",
     "S3KeyPrefix": "production"
  }
}

AWS Systems Manager Parameter Store

EC2 instance local storage is not typically used for long-term persistence. As an alternative, keys can be stored in AWS Systems Manager Parameter Store. Keys stored in Parameter Store can be encrypted using Key Management Service (KMS).

Settings
Setting Example Notes
KeyStorage ParameterStore Indicates that Vinyl should store keys in AWS Systems Manager Parameter Store.
ParameterNamePrefix /production Isolates keys by prefix.
KmsKeyId arn:aws:kms:us-east-1:1234567890:key/1234abcd-12ab-34cd-56ef-1234567890ab Optional. Identifies the KMS key that should be used to encrypt keys. The value should take the form of an Amazon Resource Name (ARN).
Example
{
  "DataEncryption": {
     "KeyStorage": "ParameterStore",
     "ParameterNamePrefix": "/production",
     "KmsKeyId": "arn:aws:kms:us-east-1:1234567890:key/1234abcd-12ab-34cd-56ef-1234567890ab"
  }
}

Encryption

None

By default, Vinyl does not encrypt keys. However, keys may be encrypted transparently based on the storage policy. For example, an S3 bucket can be configured to encrypt all data.

Settings
Setting Example Notes
KeyEncryption None Indicates that keys should be stored in plain text.
Example
{
  "DataEncryption": {
    "KeyStorage": "FileSystem",
    "KeyEncryption": "None"
  }
}

Certificate

Keys can be encrypted using an X.509 certificate.

Settings
Setting Example Notes
KeyEncryption Certificate Indicates that keys should be encrypted using an X.509 certificate. Administrators must supply either Certificate or CertificateThumbprint.
Certificate X.509 certificate. Certificate must be supplied as a base64-encoded, PKCS#12 (PFX) with private key. Requires CertificatePassword.
CertificatePassword X.509 certificate password.
CertificateThumbprint X.509 certificate thumbprint. Vinyl will attempt to load the certificate from the Local Computer account Personal certificate store.
Example
{
  "DataEncryption": {
     "KeyStorage": "FileSystem",
     "CertificateThumbprint": "C123B3E899807189F11F0EC4AC320760F00ECE34"
  }
}

AWS Key Management Service

Vinyl can be configured to encrypt keys using AWS Key Management Service (KMS).

Settings
Setting Example Notes
KeyEncryption Kms Indicates that Vinyl should encrypt keys with AWS KMS.
KmsKeyId arn:aws:kms:us-east-1:1234567890:key/1234abcd-12ab-34cd-56ef-1234567890ab Identifies the KMS key which should be used to encrypt keys. The value should take the form of an Amazon Resource Name (ARN).
Example
{
  "DataEncryption": {
     "KeyStorage": "Database",
     "KeyEncryption": "Kms",
     "KmsKeyId": "arn:aws:kms:us-east-1:1234567890:key/1234abcd-12ab-34cd-56ef-1234567890ab"
  }
}

Amazon Web Services

S3 Bucket Policy

When storing encryption keys in an S3 bucket, consider using a role policy to grant the EC2 instance access to the bucket.

Example
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::{bucket-name}/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "*"
        }
    ]
}

KMS Key Policy

When encrypting keys with KMS, consider using a role policy to grant the EC3 instance access to the key.

Example
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:GenerateDataKey",
      "kms:Encrypt",
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:us-west-2:1234567890:key/1234abcd-12ab-34cd-56ef-1234567890ab"
    ]
  }
}

Elastic Beanstalk

Vinyl ships with a .ebextensions script which automatically registers the environment properties.

Defaults

The default Elastic Beanstalk configuration varies based on the version of Vinyl.

Setting 3.2 and Lower 3.3 and Higher
KeyStorage S3 Database
S3BucketEndpoint https://{bucket}.s3{-aws-region}.amazonaws.com
S3BucketPrefix {elastic-beanstalk-environment-name}
KeyEncryption Kms
KmsKeyId {kms-key-arn}

Caution

Vinyl will not start with the default Elastic Beanstalk environment properties. Administrators must change the KmsKeyId or choose an alternate key encryption policy.

Cryptography Providers

Vinyl is a .NET application. In .NET, cryptographic algorithm implementations may be supplied by one of three cryptography providers.

  • Crypto Service Provider (CSP) - The Crypto Service Provider is a wrapper around the Windows Cryptography API (CAPI). CAPI has been deprecated. This provider is therefore not supported.
  • Cryptography Next Generation (CNG) - Algorithms implemented by the CNG provider are typically FIPS compliant. This is the default cryptography provider.
  • Managed - Algorithms implemented by this provider are not typically FIPS compliant. They may be slower than equivalent CNG implementations. However, managed implementations are shipped with .NET and are therefore available on all platforms.

Settings

Setting Example Notes
CryptoProvider Cng Determines the crypto provider. Valid values include:
  • Cng - Cryptography Next Generation. Default.
  • Managed - Managed implementations.

Example

{
  "DataEncryption": {
    "CryptoProvider": "Managed"
  }
}

Import

Data encryption keys can be imported on startup. Typically, this is done to migrate keys from one storage location to another. Keys will be decrypted and encrypted in the process.

Settings

Setting Example Notes
Import Alternate set of key storage and encryption policies.

Example

{
  "DataEncryption": {
    "KeyStorage": "Database",
    "KeyEncryption": "Certificate",
    "Certificate": "...base64-encoded...",
    "CertificatePassword": "password",
    "Import": {
      "KeyStorage": "FileSystem"
      "Directory": "keys"
    }
  }
}