VerifyVASP
Search…
⌃K

Decrypting Database Encryption Key

post
VEGA_DECRYPT_API_ENDPOINT
API for decrypting the database encryption key
Enclave Environment Variable:
Explicate the decryption API endpoint of the database encryption key in VEGA_DECRYPT_API_ENDPOINT .
Sensitive data fields such as personal information or private key are stored encrypted in the enclave database.
To do this, a symmetric encryption key needs to be set as an environment variable. Rather than use the key directly after load, it is recommended to decrypt using the key only before passing through the external security infrastructures(e.g. HSM) to maximise the security.
After implementing an API to decrypt an encryption key as below, you should set up the API endpoint as an environment value of VEGA_DECRYPT_API_ENDPOINT in the enclave server.
  • When VEGA_DECRYPT_API_ENDPOINT variable is set up, VEGA_ENCRYPTION_KEY_BASE64 variable value is used as an encryption key. (NOT recommended)
  • When VEGA_DECRYPT_API_ENDPOINT variable is set up, VEGA_ENCRYPTION_KEY_BASE64 variable value will be passed in request body of API called in the enclave boot phase.
  • Key management service integration (e.g.AWS KMS): set the AWS ARN to VEGA_ENCRYPTION_KEY_BASE64 and set the endpoint of KMS wrapping server on VEGA_DECRYPT_API_ENDPOINT. Then you can export the actual encryption key from the KMS with ARN.

Request Body

Request Body Examples
Field Name
Data Type
Required
Example
Description
inputKey
string
true
"Y9uIJCLAkzVi2XYZrUDmBYJp3szXlJIUwfLfbLsVeHU="
The value entered as VEGA_ENCRYPTION_KEY_BASE64 environment value. Base64 encoded value.

Response Body

Response Body Examples
Field Name
Data Type
Required
Example
Description
outputKey
string
true
"d0odhtb/jD9qWWTA59koPGgw2jj0ptov56A3b3dfohY="
Base64 encoded decrypted value.