-
Notifications
You must be signed in to change notification settings - Fork 2
Encryption
The Coyote DX toolkit includes some simple encryption tools to enhance the security of your ETL jobs. These tools allow you to keep sensitive data private and make accessing protected data far more difficult for unauthorized actors. The use of these tools will not in themselves make your batch jobs secure, but enhance their security and harden the data exchange from unauthorized access.
The goals for the security tools include:
- Relatively strong security for relatively low resource cost,
- Simple utilization - do not get in the developers way,
- Extensibility - ability to add stronger encryption if desired, and
- Out of the box value - build security in instead of bolting it on later.
You should note the above list did not attempt to quantify security, this is not intended to be military-grade encryption; it is expected to improve the security of your batch jobs without incurring inordinate costs.
One of the first uses for the encryption tools was to secure usernames and passwords in configuration files. Many components in the toolkit support encrypted versions of configuration attributes. If a component supports a password
configuration attribute, it probably also supports an encrypted_password
attribute. Check the components documentation for the attributes which support encryption.
The encrypted values in configuration files are Base64 encoded byte arrays of UTF-16 encoded strings.
The Loader
provides access to the encryption tools from the command line:
java -jar CoyoteDX.jar encrypt My5ecretP4ssw0rd
Encrypting 'My5ecretP4ssw0rd'
with a key of 'Q295b3RlQmF0Y2g='
using a 'BlowFish' cipher
55X73JlBKsJMqqVE0MWf+N+p3EeapBisTrb2GTLpqvtmn0EHFNsXCQ==
The first argument is the tag encrypt
which tells the loader to encrypt the next token on the command line.
The next argument is the token to encrypt. If there are spaces in the token, be sure to enclose the token in double quotes (").
java -jar CoyoteDX.jar encrypt "Seas of Cheeze"
Encrypting 'Seas of Cheeze'
with a key of 'Q295b3RlQmF0Y2g='
using a 'BlowFish' cipher
L0ED2gmnjAmRkMJbHg517TWK/TGEjmsQbbOHVor6jM/mwNvsO5NahQ==
If no encryption key is provided, the default key will be used. This will probably change in each revision so don't rely on it past an upgrade. It is best if you specify one yourself.
This is accomplished by adding it after the token to encrypt:
java -jar CoyoteDX.jar encrypt "Seas of Cheeze" primus
User-specified key did not appear to be Base64 encoded, encoding it.
Encrypting 'Seas of Cheeze'
with a key of 'cHJpbXVz'
using a 'BlowFish' cipher
hJjwFirkTslY+0546iN4RMriSGfnf1JQU9fjHCBw70KVx8ciHmCpQg==
The Loader
expects the key to be specified in Base64 encoding. If it cannot decode the key, is will assume it is plain text and encode it; reporting to you the result of encoding.
Another way to specify the the key is to use system properties. This is the preferred method as it allows a separation of the key from the data. This allows the key to be separated from the encoded data as opposed to included with the data being protected in configuration files.
For the purposes of simple illustration we will just use to command line:
java -Dcipher.key="cHJpbXVz" -jar CoyoteDX.jar encrypt "Seas of Cheeze"
Encrypting 'Seas of Cheeze'
with a key of 'cHJpbXVz'
using a 'BlowFish' cipher
TnUA8AY0hetY+0546iN4RMriSGfnf1JQU9fjHCBw70KVx8ciHmCpQg==
Note: the cipher.key
must be a Base64 encoded value. This should not be a problem because you can just provide one as plain text as the the third argument on the command line and use the reported encoded value in the system property.
The toolkit support multiple ciphers and different ciphers can be specified as the fourth argument on the command line or the cipher.name
system property:
java -Dcipher.key="cHJpbXVz" -jar CoyoteDX.jar encrypt "Seas of Cheeze" primus xtea
User-specified key did not appear to be Base64 encoded, encoding it.
Encrypting 'Seas of Cheeze'
with a key of 'cHJpbXVz'
using a 'xtea' cipher
U0Hgn54SbGdX9kj/3h5piVpSJGx58MFc39lc+kGUP1VYm8Z0yWLpww==
At the present time only Blowfish, XTEA and Null are supported.
The CipherUtil
allows you to add any implementation of the Cipher
interface. It is possible to use stronger encryption libraries and add them to the Coyote DX toolkit if it is desired.
We continually hit environments where the Java crypto libraries were not installed.
We solved this problem by adding widely used, publicly available, exportable crypto to the base package and added a simple interface which allowed stronger, more closed crypto algorithms to be added with relatively little effort.
If your analysis or personal beliefs urge you to use a different cryptography approach, the toolkit allows you to do so. If you are satisfied with the level of protection offered in this toolkit or have reviewed the cryptographic algorithms and found them acceptable as others have, then use it as is. The choice is yours.
- Concepts
- Features
- Transform Engine
- Quick Start
- Configuration
- Secrets Vault
-
Readers
- List of Readers
- Custom Readers
-
Writers
- List of Writers
- Custom Writers
-
Filters
- Accept
- Reject
- Custom Filters
-
Tasks
- List of Tasks
- Custom Tasks
-
Validators
- List of Validators
- Custom Validators
-
Listeners
- List of Listeners
- Custom Listeners
-
Transforms
- List of Transforms
- Custom Transforms
- Mappers
- Context
- Databases
- Templates
- Logging
- Encryption
- Usage
- Expressions
- Examples