User data encryption promotion
Promotion Steps:
Promotion of encryption service
Choose values for following fields
master-password: choose any string of any length (can contain alphanumerics and special characters)
master-salt: choose any string of length 8 (can contain alphanumerics and special characters)
master-initialvector: choose any string of length 12 (can contain alphanumerics and special characters)
Ask Devops to generate keys for above selected values,
In environment secrets.yml file, add “egov-enc-service” subsection under “secrets” section and provide values for above three fields. For ex:- for Dev environment https://github.com/egovernments/eGov-infraOps/blob/master/helm/environments/dev-secrets.yaml#L29 (Ask Devops to do it)
add field “state-level-tenant-id“ under “egov-enc-service:” section for state level tenantId in environment yml. ex:- https://github.com/egovernments/eGov-infraOps/blob/master/helm/environments/qa.yaml#L525
Promote egov-enc-service:4-master-f47bff2
Make sure “egov-enc-service“ entry is present in “egov-service-host” in environment yml ,ex:- for dev https://github.com/egovernments/eGov-infraOps/blob/master/helm/environments/dev.yaml#L65 . If not, make changes and build and deploy zuul from master branch.
Data migration steps (migration script and config in attachment):-
Provide DB details in following environment variables
DB_PASSWORD
DB_HOST
DB_PORT
DB_USERNAME
DB_NAME'
Backup old tables
create table eg_user_backup_plaintext as (select * from eg_user);
create table eg_user_address_backup_plaintext as (select * from eg_user_address);
Delete foreign key referenced on ‘eg_user’ from ‘eg_userrole_v1’ temporarily until the data is transformed
ALTER TABLE eg_userrole_v1 DROP CONSTRAINT fk_user_role_v1;
Deploy user service build with encryption to run flyway migration (egov-user:11-user_changes_MT-800f319)
Clean tables of all plain text data
delete from eg_user_address;
delete from eg_user;
run migration
Script python package dependencies
import psycopg2
import sys
import json
import requests
import configparser
import logging
import os
Commands to run for migration
python3 user_migration.py config_user_encryption.txt
python3 user_migration.py config_address_encryption.txt
Restore earlier deleted foreign key constraint
ALTER TABLE eg_userrole_v1 ADD CONSTRAINT fk_user_role_v1 FOREIGN KEY (user_id, user_tenantid) REFERENCES eg_user(id, tenantid) MATCH SIMPLE ON UPDATE NO ACTION ON DELETE NO ACTION;
Service Builds:-
User service:- egov-user:11-user_changes_MT-800f319
Set environment variable “DECRYPTION_ABAC_ENABLED” to false
User service copy for chatbot:- egov-user-chatbot:4-user_changes_MT-621fe60
Note: Promote only if whatsapp chatbot is already running in the system, it uses another copy of user service named “egov-user-chatbot“. Not needed if whatsapp- chatbot is not in the system.
Report service:- report:22-report-encryption-changes-e92c8ae
enc-service:- egov-enc-service:4-master-f47bff2
MDMS:
Impact analysis:
The following columns in following tables are encrypted as part of user data encryption
eg_user | eg_user_address |
---|---|
username mobilenumber altcontactnumber emailid name pan aadhaarnumber guardian | address |
User service api response: The apis of user service after user data encryption are unchanged (given accessed using suitable roles), services using user service apis will not be affected. Please note if any user who does not have any role defined in “DecryptionABAC” (egov-mdms-data/data/pb/DataSecurity/DecryptionABAC.json at master · egovernments/egov-mdms-data ) master’s “ALL_ACCESS” section, he will receive encrypted data on calling user service apis. To get decrypted data the user should have at least one role defined in “ALL_ACCESS” section. If he contains a matching role the user service response will be as earlier. For providing full decryption to any role on accessing user service apis add role entry with all fields names to be decrypted.
Searcher: - Since the data in the user tables is encrypted, no service should directly pick data from DB. Services using searcher should pick user data from user service separately which will provide decrypted data or searcher should be enhanced to enrich user data by calling user service
Dashboard:- No dashboard is based on user PIIs,
In PT,TL,PGR Currently user PIIs data is going on tl-index, bpa-index, paymentsindex-v1,bpastakeholderindex, pgrindex, ptindex-v1 indexes
Reports: -
By default any report picking data directly from user tables will have encrypted values
Reports can use RBAC supported by encryption service for enccrypted column decryption
To provide access to any role in any report to decrypt encrypted user data columns, please use following example to add entry in DecryptionABAC master (egov-mdms-data/data/pb/DataSecurity/DecryptionABAC.json at master · egovernments/egov-mdms-data ) and adding key in report config
Ex:- In “TradeLicenseRegistryReport” report, To provide “EMPLOYEE” role “name”,”mobilenumber” columns (please note column name should match with column names defined in the report config) decryption access we made two changes
Added “decryptionPathId: TradeLicenseRegistryReport” key value in report config of “TradeLicenseRegistryReport"(configs/reports/config/rainmaker-tl-reports.yml at master · egovernments/configs )
And added following entry in DecryptionABAC master (egov-mdms-data/data/pb/DataSecurity/DecryptionABAC.json at master · egovernments/egov-mdms-data )
{
"key": "TradeLicenseRegistryReport",
"roleAttributeAccessList": [
{
"roleCode": "EMPLOYEE",
"attributeAccessList": [
{
"attribute": {
"jsonPath": "*/name"
},
"accessType": "PLAIN"
},
{
"attribute": {
"jsonPath": "*/mobilenumber",
"maskingTechnique": "mobile"
},
"accessType": "PLAIN"
}
]
}
]
}