Encrypt Data

The Encrypt Data protection method encrypts classified data.

When encrypting fields, the protection method encrypts the data key and any additional encryption details, and stores the encrypted details along with the encrypted data.

You can use Amazon AWS Key Management Service (KMS) as a key provider or you can supply the data key. When using Amazon AWS KMS, you specify the KMS Key Amazon Resource Name (ARN). You can use IAM roles or AWS access key pairs to connect to Amazon AWS. When using a user-supplied key, you specify a Base64 encoded key and can optionally configure a key ID.

In both cases, you specify the cipher suite and frame size to use. You can optionally define an encryption context and configure data key caching.

Note: To later decrypt the encrypted data, you must use the same key provider, cipher suite, and any additional details, such as encryption contexts, that the protection method used to encrypt the data.

For information about the structure of AWS-encrypted data, see the AWS Encryption SDK documentation.

Stage Library Requirement

To use the Encrypt Data protection method, the Cryptography stage library must be installed on all Data Protector-enabled Data Collectors.

The Cryptography stage library is included in a full installation of Data Collector. If you use a core installation of Data Collector, you must install the Cryptography stage library. For information about installing a stage library, see Install Additional Stage Libraries in the Data Collector documentation.

Tip: If the New Procedure dialog box does not include the Encrypt Data protection method as an available protection method, the selected Data Collector does not have the Cryptography stage library installed.

Supported Data Types

The Encrypt Data protection method can encrypt string data and any data that can be converted to string. As a result, the protection method can encrypt all data except that of the List, Map, or List-Map data type.

When encrypting data, the Encrypt Data protection method includes the original data type in the encrypted data.

Key Provider

When you use the Encrypt Data protection method, you specify the key provider to use.

You can use Amazon AWS Key Management System (KMS) as the key provider or you can use your own user-supplied key:
Amazon AWS KMS
Uses a master key provided by the AWS KMS service.
Requires configuring the KMS Key ARN property to identify the Amazon Resource Name (ARN) for the Customer Master Keys (CMK). For information about locating the key ARN, see the AWS KMS documentation.
You can optionally use AWS Access Key ID and Secret Access Key to connect to AWS.
User supplied key
Requires specifying a Base64 encoded master key.

You can use credential functionscredential functions to access a key from a supported credential store. You can also use the base64EncodeString() function to encode the string returned by the function.

The length of the encoded key must match the length expected by the selected cipher. For example, when using a 256-bit (32 bytes) cipher suite, the key must be 32 bytes in length.

You can optionally include a string key ID to be used when encrypting the data.

AWS Credentials

When you use Amazon AWS KMS as the key provider, the execution Data Collector must pass credentials to AWS.

Use one of the following methods to pass AWS credentials:
IAM role
When the execution Data Collector runs on an Amazon EC2 instance, you can use the AWS Management Console to configure an IAM role for the EC2 instance. Data Collector uses the IAM instance profile credentials to automatically connect to AWS.
To use an IAM role, do not configure the Access Key ID and Secret Access Key properties.
For more information about assigning an IAM role to an EC2 instance, see the Amazon EC2 documentation.
AWS access key pair
When the execution Data Collector does not run on an Amazon EC2 instance or when the EC2 instance doesn’t have an IAM role, you must configure the Access Key ID and Secret Access Key properties.
Tip: To secure sensitive information such as access key pairs, you can use runtime resources or credential stores. For more information about credential stores, see Credential Stores in the Data Collector documentation.

Cipher Suite

When you use the Encrypt Data protection method, you specify the cipher suite to use. The protection method uses the selected cipher suite to encrypt the data.

The protection method provides the following cipher suites:
  • ALG_AES_256_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384 (default)
  • ALG_AES_192_GCM_IV12_TAG16_HKDF_SHA384_ECDSA_P384

  • ALG_AES_128_GCM_IV12_TAG16_HKDF_SHA256_ECDSA_P256

  • ALG_AES_256_GCM_IV12_TAG16_HKDF_SHA256 (no signature)

  • ALG_AES_192_GCM_IV12_TAG16_HKDF_SHA256 (no signature)

  • ALG_AES_128_GCM_IV12_TAG16_HKDF_SHA256 (no signature)

  • ALG_AES_256_GCM_IV12_TAG16_NO_KDF (not recommended)

  • ALG_AES_192_GCM_IV12_TAG16_NO_KDF (not recommended)

  • ALG_AES_128_GCM_IV12_TAG16_NO_KDF (not recommended)

For an overview of how the AWS Encryption SDK supports cipher suites, see the AWS Encryption SDK documentation. The documentation also provides additional details about cipher suites.

Encryption Context

You can specify encryption contexts to be included in the encrypted data. Encryption contexts, also known as additional authenticated data (AAD), are key value pairs that are encrypted and included with the encrypted data.

Optionally use encryption contexts as an additional tool to prevent tampering with encrypted data.

When used to encrypt data, the encryption contexts are required to decrypt the data as well.

Data Key Caching

The Encrypt Data protection method generates a new data key for each encryption operation. You can enable caching and reusing data keys to increase pipeline performance when security considerations allow.

Consider the possible security ramifications before enabling data key caching. This AWS blog post describes some of the issues to consider. For details on how data key caching works, see the AWS Encryption SDK documentation.

When you enable data key caching, you configure the following properties:
  • Cache Capacity
  • Max Data Key Age
  • Records per Data Key
  • Bytes per Data Key