Decrypting Database Encryption Key
API for decrypting the database encryption key
Sensitive data fields such as personal information or private key are stored encrypted in the enclave database.To do this, a symmetric encryption key needs to be set as an environment variable. Rather than use the key directly after load, it is recommended to decrypt using the key only before passing through the external security infrastructures(e.g. HSM) to maximise the security.
After implementing an API to decrypt an encryption key as below, you should set up the API endpoint as an environment value of VEGA_DECRYPT_API_ENDPOINT in the enclave server.
- When VEGA_DECRYPT_API_ENDPOINT variable is set up, VEGA_ENCRYPTION_KEY_BASE64 variable value is used as an encryption key. (NOT recommended)
- When VEGA_DECRYPT_API_ENDPOINT variable is set up, VEGA_ENCRYPTION_KEY_BASE64 variable value will be passed in request body of API called in the enclave boot phase.
- Key management service integration (e.g.AWS KMS): set the AWS ARN to VEGA_ENCRYPTION_KEY_BASE64 and set the endpoint of KMS wrapping server on VEGA_DECRYPT_API_ENDPOINT. Then you can export the actual encryption key from the KMS with ARN.