Skip to content

Encryption

Jump to bottom
Steve Cote edited this page Apr 23, 2017 · 1 revision

Overview

The Coyote DX toolkit includes some simple encryption tools to enhance the security of your ETL jobs. These tools allow you to keep sensitive data private and make accessing protected data far more difficult for unauthorized actors. The use of these tools will not in themselves make your batch jobs secure, but enhance their security and harden the data exchange from unauthorized access.

The goals for the security tools include:

  • Relatively strong security for relatively low resource cost,
  • Simple utilization - do not get in the developers way,
  • Extensibility - ability to add stronger encryption if desired, and
  • Out of the box value - build security in instead of bolting it on later.

You should note the above list did not attempt to quantify security, this is not intended to be military-grade encryption; it is expected to improve the security of your batch jobs without incurring inordinate costs.

Configuration

One of the first uses for the encryption tools was to secure usernames and passwords in configuration files. Many components in the toolkit support encrypted versions of configuration attributes. If a component supports a password configuration attribute, it probably also supports an encrypted_password attribute. Check the components documentation for the attributes which support encryption.

The encrypted values in configuration files are Base64 encoded byte arrays of UTF-16 encoded strings.

Encrypting Strings

The Loader provides access to the encryption tools from the command line:

java -jar CoyoteDX.jar encrypt My5ecretP4ssw0rd
Encrypting 'My5ecretP4ssw0rd'
with a key of 'Q295b3RlQmF0Y2g='
using a 'BlowFish' cipher
55X73JlBKsJMqqVE0MWf+N+p3EeapBisTrb2GTLpqvtmn0EHFNsXCQ==

The first argument is the tag encrypt which tells the loader to encrypt the next token on the command line.

The next argument is the token to encrypt. If there are spaces in the token, be sure to enclose the token in double quotes (").

java -jar CoyoteDX.jar encrypt "Seas of Cheeze"
Encrypting 'Seas of Cheeze'
with a key of 'Q295b3RlQmF0Y2g='
using a 'BlowFish' cipher
L0ED2gmnjAmRkMJbHg517TWK/TGEjmsQbbOHVor6jM/mwNvsO5NahQ==

Specifying the Key

If no encryption key is provided, the default key will be used. This will probably change in each revision so don't rely on it past an upgrade. It is best if you specify one yourself.

This is accomplished by adding it after the token to encrypt:

java -jar CoyoteDX.jar encrypt "Seas of Cheeze" primus
User-specified key did not appear to be Base64 encoded, encoding it.
Encrypting 'Seas of Cheeze'
with a key of 'cHJpbXVz'
using a 'BlowFish' cipher
hJjwFirkTslY+0546iN4RMriSGfnf1JQU9fjHCBw70KVx8ciHmCpQg==

The Loader expects the key to be specified in Base64 encoding. If it cannot decode the key, is will assume it is plain text and encode it; reporting to you the result of encoding.

Another way to specify the the key is to use system properties. This is the preferred method as it allows a separation of the key from the data. This allows the key to be separated from the encoded data as opposed to included with the data being protected in configuration files.

For the purposes of simple illustration we will just use to command line:

java -Dcipher.key="cHJpbXVz" -jar CoyoteDX.jar encrypt "Seas of Cheeze"
Encrypting 'Seas of Cheeze'
with a key of 'cHJpbXVz'
using a 'BlowFish' cipher
TnUA8AY0hetY+0546iN4RMriSGfnf1JQU9fjHCBw70KVx8ciHmCpQg==

Note: the cipher.key must be a Base64 encoded value. This should not be a problem because you can just provide one as plain text as the the third argument on the command line and use the reported encoded value in the system property.

Different Ciphers

The toolkit support multiple ciphers and different ciphers can be specified as the fourth argument on the command line or the cipher.name system property:

java -Dcipher.key="cHJpbXVz" -jar CoyoteDX.jar encrypt "Seas of Cheeze" primus xtea
User-specified key did not appear to be Base64 encoded, encoding it.
Encrypting 'Seas of Cheeze'
with a key of 'cHJpbXVz'
using a 'xtea' cipher
U0Hgn54SbGdX9kj/3h5piVpSJGx58MFc39lc+kGUP1VYm8Z0yWLpww==

At the present time only Blowfish, XTEA and Null are supported.

Adding Ciphers

The CipherUtil allows you to add any implementation of the Cipher interface. It is possible to use stronger encryption libraries and add them to the Coyote DX toolkit if it is desired.

Why Include Cipher Code

We continually hit environments where the Java crypto libraries were not installed.

We solved this problem by adding widely used, publicly available, exportable crypto to the base package and added a simple interface which allowed stronger, more closed crypto algorithms to be added with relatively little effort.

If your analysis or personal beliefs urge you to use a different cryptography approach, the toolkit allows you to do so. If you are satisfied with the level of protection offered in this toolkit or have reviewed the cryptographic algorithms and found them acceptable as others have, then use it as is. The choice is yours.

Home

  1. Concepts
  2. Features
  3. Transform Engine
  4. Quick Start
  5. Configuration
  6. Secrets Vault
  7. Readers
  8. Writers
    • List of Writers
    • Custom Writers
  9. Filters
    • Accept
    • Reject
    • Custom Filters
  10. Tasks
    • List of Tasks
    • Custom Tasks
  11. Validators
    • List of Validators
    • Custom Validators
  12. Listeners
    • List of Listeners
    • Custom Listeners
  13. Transforms
    • List of Transforms
    • Custom Transforms
  14. Mappers
  15. Context
  16. Databases
  17. Templates
  18. Logging
  19. Encryption
  20. Usage
  21. Expressions
  22. Examples
Clone this wiki locally