[jira] [Commented] (LOG4J2-2930) Add plugin for encrypting/decrypting log events

[Ralph Goers (Jira)]

    [ 
https://issues.apache.org/jira/browse/LOG4J2-2930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17200409#comment-17200409
 ] 

Ralph Goers commented on LOG4J2-2930:
-------------------------------------

Well, remember that in a lot of these cases batches aren't being encrypted; 
individual LogEvents or data elements are.  For example, Flume would be 
encrypting individual log events as they are written to BerkeleyDB and 
decrypting when they are read before they are sent to the downstream target. In 
other cases it may be desirable to only encrypt certain fields leaving the rest 
as clear text.

In the Flume use case speed is probably more important than having something 
bullet-proof.

> Add plugin for encrypting/decrypting log events
> -----------------------------------------------
>
>                 Key: LOG4J2-2930
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-2930
>             Project: Log4j 2
>          Issue Type: New Feature
>          Components: Appenders, Core, Receivers
>    Affects Versions: 2.13.3
>            Reporter: Matt Sicker
>            Priority: Major
>
> Some of the existing appenders write log events to sophisticated systems 
> which support encrypting said data at rest and in transit (e.g., storing 
> events in an encrypted SQL database using a TLS connection, writing data to 
> an encrypted filesystem or disk, etc.) However, not every system supported in 
> Log4j provides a feature or ability to encrypt and decrypt data natively. 
> There are a small collection of ad hoc cryptographic operations in Log4j 
> (e.g., {{SslConfiguration}}, {{KeyStoreConfiguration}}, 
> {{SecretKeyProvider}}, etc.) which should be refactored and extended to allow 
> for more flexibility in key management and message encryption/decryption. 
> This will allow appenders and receivers that wish to support encryption to do 
> so much more easily. This should also allow for more sophisticated use of 
> cryptography such as adding message digests or authentication tags to log 
> messages to help prevent tampering and add authenticity.
> Related resources:
> * 
> https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html
> * 
> https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html
> * 
> https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html#protection



--
This message was sent by Atlassian Jira
(v8.3.4#803005)