Decrypting Database Encryption Key

API for decrypting the database encryption key

POST VEGA_DECRYPT_API_ENDPOINT

Enclave Environment Variable:

Enter the Decryption API endpoint in VEGA_DECRYPT_API_ENDPOINT field.

Sensitive data fields such as personal information or private key are stored encrypted in the enclave database.

To do this, a symmetric encryption key needs to be set as an environment variable. Rather than use the key directly after load, it is recommended to decrypt using the key only before passing through the external security infrastructures(e.g. HSM) to maximize the security.

After implementing an API to decrypt an encryption key as below, you should set up the API endpoint as an environment value of VEGA_DECRYPT_API_ENDPOINT in the enclave server.

  • When VEGA_DECRYPT_API_ENDPOINT variable is set up, VEGA_ENCRYPTION_KEY_BASE64 variable value is used as an encryption key. (NOT recommended)

  • When VEGA_DECRYPT_API_ENDPOINT variable is set up, VEGA_ENCRYPTION_KEY_BASE64 variable value will be passed in request body of API called in the enclave boot phase.

  • Key management service integration (e.g.AWS KMS): set the AWS ARN to VEGA_ENCRYPTION_KEY_BASE64 and set the endpoint of KMS wrapping server on VEGA_DECRYPT_API_ENDPOINT. Then you can export the actual encryption key from the KMS with ARN.

Request Body

Request Body Examples
{
    "inputKey": "Y9uIJCLAkzVi2XYZrUDmBYJp3szXlJIUwfLfbLsVeHU="
}
Field NameData TypeRequiredExampleDescription

inputKey

string

true

"Y9uIJCLAkzVi2XYZrUDmBYJp3szXlJIUwfLfbLsVeHU="

The value entered as VEGA_ENCRYPTION_KEY_BASE64 environment value. Base64 encoded value.

Response Body

Response Body Examples
  • 200 OK

{
    "outputKey": "d0odhtb/jD9qWWTA59koPGgw2jj0ptov56A3b3dfohY="
}
Field NameData TypeRequiredExampleDescription

outputKey

string

true

"d0odhtb/jD9qWWTA59koPGgw2jj0ptov56A3b3dfohY="

Base64 encoded decrypted value.

Last updated