hi Jason, leaving aside the API design for a second and focusing on the mere crypto. I would really be careful on what you are defining as default. AES ECB is almost = to no encryption. Same as providing a fixed IV…
just saying….. regards antonio On Nov 10, 2017, at 9:53 PM, Jason Bailey <jason.bai...@sas.com> wrote: > Wanted to give a heads up in the direction I'm going with this. > > https://github.com/JEBailey/sling-encrypt > > CipherProvider is a service interface to provide pre-initialized Cipher > Objects for encoding and decoding content. > EncryptionValueMap encompasses the functionality to encrypt and decrypt > specific fields, currently focusing on String and String[] value types. Put > and Get methods not implemented yet. > EncryptionValueMapDecorator to wrap a map. > > For the EncryptionValueMap, I'm recording the properties that are encrypted > in a separate property field, so that accessing those fields can be done > seamlessly from any place that you are instantiate the EncryptionValueMap. > > Feedback appreciated. > > -----Original Message----- > From: Justin Edelson [mailto:jus...@justinedelson.com] > Sent: Friday, November 03, 2017 3:37 PM > To: dev@sling.apache.org > Subject: Re: value level encryption > > EXTERNAL > > In AEM, posting encrypted properties to /etc/cloudservices is historically > the primary use case for @Encrypted, but the PostProcessor applies to all > post requests. > > I think this would be a useful addition to Sling. We may want to have some > kind of SPI to support different encryption schemes, but that's an > implementation detail. > > Regards, > Justin > > > On Fri, Nov 3, 2017 at 2:48 PM Jason Bailey <jason.bai...@sas.com> wrote: > >> They only docs I can find on that, assuming we're talking AEM, >> mentions it only works for posting things into /etc/cloudservices. So that's >> out. >> It's been a while, but I'm under the impression that all >> implementations of the java platform now come with a certain level of >> crypto >> >> https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html >> >> I'd probably add a configuration so you could define the level of >> cryptography, and then that would allow people who needed a higher >> level to install their own providers. Is this something that Sling >> would be interested in? Since I'm going to be writing this, if you're >> interested, I'd rather write it with the intent of directly donating it. >> >> >> >> -----Original Message----- >> From: Justin Edelson [mailto:jus...@justinedelson.com] >> Sent: Friday, November 03, 2017 1:35 PM >> To: dev@sling.apache.org >> Subject: Re: value level encryption >> >> EXTERNAL >> >> We have this in our commercial product. At a high level, the way it >> works is that there is a PostProcessor which looks for an @Encrypted >> postfixed property and, if that is present, the corresponding property >> is stored in an encrypted fashion. Decryption is all done manually, >> although personally the idea of an EncryptionValueMap seems really cool to >> me. >> >> I believe the challenge in bringing this into Sling relates to the >> encryption libraries. >> >> On Fri, Nov 3, 2017 at 8:45 AM Jason Bailey <jason.bai...@sas.com> wrote: >> >>> Here's the use case >>> >>> My organization has decided that to conform to the GDPR, any >>> sensitive data should be encrypted while at rest. From a Sling >>> perspective that is a challenge since we've empowered the authors to >>> create forms the way they want. So to be on the safe side, we're >>> looking at encrypting all form fields as they are persisted, and >>> then decrypting the values from the resource when we need to processes >>> them. >>> >>> Now I'm thinking of an EncryptionValueMap that will simplify this >>> process and encapsulate the functionality. You guys are usually >>> ahead of me when I come up with this stuff and I don't like >>> replicating effort. So is there any functionality currently or >>> planned to handle encryption of resource values? >>> >>> Thanks >>> Jason >>> >>
