I have a program that pulls from azure key vault. When the data comes back it is in plain text. Is the data from the server to the client always in plain text and not encrypted?
Related
I have a case were I need to connect to a Bank using sFTP and retrieve bank statements and send payment files.
The basic flows will be:
Get Bank statements.
Fetch Encrypted Signed Data from Bank.
Decrypt Encrypted Signed Data with my private key.
Verify the Plain text signed file.
Unzip data file for further processing.
List item
Send Payment File
Naming Give payment file the right filename.
Compress Zip data file (PKZIP format).
Sign zipped data file with your private key and hash algorithm SHA2-256.
Encrypt the signed data file with AES256.
Send Encrypted Signed Data.
Checking the requirements received against the Key Vault functionalities is see that
Encryption algorithm for data AES256 is not supported?
Any suggestions?
As of now algorithms supported for encryption or decryption using logic apps are RSA-OAEP, RSA1_5 and RSA-OAEP-256.
ASE algorithm is not available from logic apps.
Refer this link it may help you
How do you use vault to essentially return a client secret into a json file so that it can be used by an application? I'm doing this on a remote server that many people will be ssh'ing on to. So ideally when the application executes, it would trigger a function in Python, fetch the client secret from the vault, return it as a value to the client_secrets key in the json file and allow auth without anyone else ever seeing the key.
I'll be using Google Auth client secrets with PyDrive if that makes a difference.
I have encrypted data in AES-GCM with the crypto API. The initialisation vector is then added to the data, forming a unique encrypted string stored in local-storage. Finally, the secret key is stored in IndexedDB.
Since the secret key is non-extractable I though it was secure enough for most use-cases. To my understanding, an attacker would have to rob both the local storage and the indexed db, find the initialisation vector inside the data, convert it to a buffer array and then directly perform the decryption in the browser before sending the data back to his server. Indeed, it seems the non-extractable nature of the secret key means that he would not be able to send the raw secret key to his server and thus not being able to complete the decryption.
But I've been told I was very wrong, and that my strategy was actually barely more secure than letting all the data directly readable in local storage.
So, how could I improve this workflow? Is it really that insecure? Would it be possible to encrypt and decrypt the secret key thanks a unique password provided by the user? The password would be in a .env file and thus never exposed to an attacker. How would you do it?
Here is how the secret key is generated so far:
crypto.subtle.generateKey(
{ name: "AES-GCM", length: 256 },
false,
["encrypt", "decrypt"]
);
Thanks for your help!
I am building a Node.js application that receives a long term access token from another application that I need to access. I don't want to store these access tokens directly in the database since anyone who has access to these tokens can basically do whatever they want with it it.
I am new to Cloud KMS and such systems in general but spent the last few hours learning it. It seems like the ideal solution to solve my problem but I'm not entirely sure what strategy I should follow to store these access tokens:
Should I store an encryption key in Cloud KMS and use that encryption key with an NPM package like this one to store access tokens in my database?
Should I store the access tokens in KMS directly? My assumption is that I would have a key store and keys rotated every 14 days. Whenever I receive an access token, I simply encrypt it and store it at KMS. I only store the ciphertext in my database. When I need to access the access token from KMS, I use the ciphertext to decrypt it.
Which of the above is the right way to use KMS? If it's option 2, I have additional questions:
Can I encrypt a large number of access tokens with a single key or do I need to create a new key for every access token?
If I ever need to modify the access token encrypted at KMS, can I simply modify it or do I need to destroy the old version and encrypt again?
Thanks for your help!
I think your best option is to use the Node.js API provided by Google to encrypt the tokens and store the resulting ciphertext in your database.
When the application receives a token from the other application it encrypts it with the API and compares to what it has in the database to see if it's valid, this way the plain text token is only known by the owner.
Can I encrypt a large number of access tokens with a single key or do I need to create a new key for every access token?
You can encrypt as many tokens as you want with the same key. Creating a key for each token would become unmanageable pretty soon, and unless they key itself it's compromised (which is hard to imagine being stored only at Google) there is no significant risk.
If I ever need to modify the access token encrypted at KMS, can I simply modify it or do I need to destroy the old version and encrypt again?
KMS is not storing your data, either encrypted or in plain text, it's just storing the KEY you need to either encrypt or unencrypt your data.
Following the method of storing only the encrypted version of the tokens, when you need to modify one token, it should go like this:
Client sends you the token that needs to be revoked.
Your application encrypts it and compares it with the tokens stored in the DB
The new token is generated (by your client application I understand?)
It's sent to your application, which encrypts it
The old version of the token is substituted with the new version
The client now can use the new token as it has the same validity as the previous. If it tries to use the old token, as it's not in the DB anymore it won't work.
Regarding key rotation, when it happens the new tokens will be encrypted with the new keys. The old tokens will still be unencryptable because your old keys are still on KMS, just not being used for encrypting anymore. However, if you destroy the key they were encrypted with, then they will be unrecoverable.
As of December 2019, the preferred way to store and manage secrets on Google Cloud is Secret Manager:
$ echo -n "my-access-token" | gcloud beta secrets create "access-token" \
--data-file=- \
--replication-policy "automatic"
You can then access secrets from your applications. Here is an example with Node:
function getSecret() {
const [version] = await client.accessSecretVersion({
name:"projects/<YOUR-PROJECT-ID>/secrets/access-token/versions/1",
});
const auth = version.payload.data.toString('utf-8');
// auth is "my-access-token"
return auth
}
Any services that need to access the secret need roles/secretmanager.secretAccessor permissions on the secret.
Your option 2 is fine, as long as the access tokens are small enough to encrypt with the API (a few thousand bytes or smaller). You can encrypt as many tokens as you need with the same key without impairing security.
14 day key rotation seems more frequent than necessary unless you have a specific need for it.
I don't understand your modification question. If you modify the access token and wish to save the modified version, you should probably encrypt it with your key then save the encrypted data.
I want to do client side encryption in mobile app and the encrypted data will be saved in server. The data should be decrypt when user logged in another device also.
Is there any other way to store the "key" securely, which is used for encrypt and decrypt my data other than my server? Usually we store encryption "key" in server, but i need more secure place than my server?
Can we use solutions like AWS KMS for this?
You could just never store the (presumably symmetric) key on the device, but instead deterministically regenerate the key each session using a Password-Based Key Derivation Function