Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multiple and pluggable content encryption keys and encryption algorithms #2240

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Support multiple and pluggable content encryption keys and encryption algorithms #2240

wants to merge 11 commits into from

Conversation

vierbergenlars
Copy link
Contributor

This refactors the content encryption module to support:

  1. Plugging in encryption strategies for data encryption keys (e.g using AWS KMS or Hashicorp Vault, ...)
  2. Plugging in different storage strategies for encrypted data encryption keys (e.g. in the entity table or in a separate storage table)
  3. Storing multiple encrypted data encryption keys, encrypted with different services or keys
  4. Plugging in different symmetric content encryption algorithms (e.g. AES-CTR)

Provided implementations:

  1. Encrypting data encryption keys using Hashicorp Vault (using the transit engine)
  2. Not encrypting data encryption keys
  3. Storage of encrypted data encryption keys as a byte[] field in the entity next to the content property, with any custom suffix
  4. Encrypting content using AES-CTR, while supporting byte-range partial content requests

@vierbergenlars
Refactor content encryption into pluggable components
6af316d
@vierbergenlars
Extend possible configuration for EncryptingContentStore
cf5264e 
Allow configuration of all pluggable components and provide default values when nothing is configured
@vierbergenlars
Update documentation to reference swappable components
b06498a
@vierbergenlars
Add encryption of DEKs with vault
da5524d
@vierbergenlars
Add test for AesCtrEncryptionEngine
4c6bc70
@vierbergenlars
Add tests for StoredDataEncryptionKey data conversions
97cecec
@vierbergenlars
Add integration tests with a DataEncryptionKeyWrapper that does not d…
0d41e10 
…ecrypt
@vierbergenlars
Move implementation of addKey/removeKey methods to DataEncryptionKeyA…
2a141b2 
…ccessor interface
@vierbergenlars
Add integration test using custom DataEncryptionKeyAccessor
5e29104 
We need to ensure that the accessor is able to read the content property from the entity before it is removed/after it is created.
This is necessary to have custom key accessors work, so they can store the encryption key somewhere other than the entity itself,
for example based on the content id
@vierbergenlars
Move VaultTransitDataEncryptionKeyWrapper to public API
bc942a7 
This DataEncryptionKeyWrapper object needs to be instanciated by users to use vault encryption, so it should not be in the internal package
vierbergenlars added a commit to vierbergenlars/spring-content-gettingstarted that referenced this pull request Jan 21, 2025
@vierbergenlars
Update encryption example for updated encryption module
ec12893 
The encryption module has been updated in paulcwarren/spring-content#2240
@vierbergenlars vierbergenlars mentioned this pull request Jan 21, 2025
Open
@vierbergenlars
Copy link
Contributor Author

Note that builds against the getting-started repo are failing due to a refactor of the encryption classes. (I have opened a PR there to update the example as well)
The normal unit & integration tests are passing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@vierbergenlars