Decrypting Database Encryption Key
API for decrypting the database encryption key
POST
VEGA_DECRYPT_API_ENDPOINT
Enclave Environment Variable:
Enter the Decryption API endpoint in VEGA_DECRYPT_API_ENDPOINT field.
Sensitive data fields such as personal information or private key are stored encrypted in the enclave database.
To do this, a symmetric encryption key needs to be set as an environment variable. Rather than use the key directly after load, it is recommended to decrypt using the key only before passing through the external security infrastructures(e.g. HSM) to maximize the security.
After implementing an API to decrypt an encryption key as below, you should set up the API endpoint as an environment value of VEGA_DECRYPT_API_ENDPOINT in the enclave server.
When VEGA_DECRYPT_API_ENDPOINT variable is set up, VEGA_ENCRYPTION_KEY_BASE64 variable value is used as an encryption key. (NOT recommended)
When VEGA_DECRYPT_API_ENDPOINT variable is set up, VEGA_ENCRYPTION_KEY_BASE64 variable value will be passed in request body of API called in the enclave boot phase.
Key management service integration (e.g.AWS KMS): set the AWS ARN to VEGA_ENCRYPTION_KEY_BASE64 and set the endpoint of KMS wrapping server on VEGA_DECRYPT_API_ENDPOINT. Then you can export the actual encryption key from the KMS with ARN.
Request Body
Field Name | Data Type | Required | Example | Description |
---|---|---|---|---|
inputKey | string | true | "Y9uIJCLAkzVi2XYZrUDmBYJp3szXlJIUwfLfbLsVeHU=" | The value entered as VEGA_ENCRYPTION_KEY_BASE64 environment value. Base64 encoded value. |
Response Body
Field Name | Data Type | Required | Example | Description |
---|---|---|---|---|
outputKey | string | true | "d0odhtb/jD9qWWTA59koPGgw2jj0ptov56A3b3dfohY=" | Base64 encoded decrypted value. |
Last updated