Skip to content

Latest commit

 

History

History
87 lines (63 loc) · 4.67 KB

README.md

File metadata and controls

87 lines (63 loc) · 4.67 KB

Crypro shredding extensions for Axon

test Build status Quality Gate Status

This is a standalone library as well as a supporting repository for Lhotse, a starter kit for writing event sourced web applications following domain driven design principles.

This library implements crypto shredding for the Axon event log and saga store. Crypto shredding is a technique for disabling access to sensitive information by discarding encryption keys. You might use this on the behest of a user or when retention is no longer justified in order to comply with the European Union's General Data Protection Regulation (GDPR) without compromising the append-only nature of your event log.

How it works

The extension wraps the existing Axon serializers and intercepts fields annotated with @EncryptedField, encrypting them with symmetric keys that are generated and stored alongside the Axon event log and saga store. Encryption keys are identified via the @EncryptionKeyIdentifier annotation. This annotation accepts an optional keyType parameter that is used to differentiate between identifiers when key uniqueness cannot be globally guaranteed (such as when using monotonically increasing integers).

A 256 bit AES (symmetric) key is generated for each {identifier, keyType} tuple. Each field annotated with @EncryptedField is encrypted using an initialisation vector unique to that field. This initialisation vector is stored as part of the serialised field payload.

Multiple @EncryptionKeyIdentifier annotations can be used per payload. These keys are mapped to specific fields via tags. This allows, for example, an event that contains the PII of two subjects to be encrypted using different encryption keys owned by the respective subjects.

Shredding data

The CryptoShreddingKeyService's deleteSecretKey method should be called to discard a secret key. The encryption key table should not be modified directly.

Once a key has been discarded, deserialisation will return fields with default values for the field's data type.

Projections can be cleaned up through event handlers that perform an appropriate action -- delete or scrub -- given your domain.

Aggregate snapshots may need to be dropped and saga lifecycles may need to be completed.

Caveat

This library (or a similar implementation) is required to deserialise annotated events once encryption has been applied. It is not sufficient to remove this library as a dependency as the underlying data types in the serialised form do not align with the types declared for an event or saga.

Installation

Maven:

<dependency>
  <groupId>engineering.everest.axon</groupId>
  <artifactId>crypto-shredding-extension</artifactId>
  <version>${version}</version>
</dependency>

Gradle:

implementation "engineering.everest.axon:crypto-shredding-extension:${version}"
  1. Add implementation for SecretKeyRepository to persist the secret keys. Default implementation DefaultSecretKeyRepository can found here
  2. configure your event serializer to be wrapped by the crypto-shredding serializer:
@Bean
public CryptoShreddingSerializer eventSerializer(CryptoShreddingKeyService cryptoShreddingKeyService,
                                                 EncrypterDecrypterFactory aesEncrypterDecrypterFactory,
                                                 DefaultValueProvider defaultValueProvider,
                                                 KeyIdentifierToStringConverter keyIdentifierToStringConverter) {
     return new CryptoShreddingSerializer(JacksonSerializer.defaultSerializer(), cryptoShreddingKeyService,
        aesEncrypterDecrypterFactory, new ObjectMapper(), defaultValueProvider, keyIdentifierToStringConverter);
}

License

License License: EverestEngineering

Talk to us [email protected].