I set up a connection in DataGrip to my database table that has encrypted columns (randomized). I can query the data but the value of each encrypted column is an error message:
<failed to load>
com.microsoft.sqlserver.jdbc.SQLServerException: Failed to decrypt a column encryption key. Invalid key store provider name: AZURE_KEY_VAULT. A key store provider name must denote either a system key store provider or a registered custom key store provider. Valid system key provider names are: . Valid (currently registered) custom key store provider names are: null. Please verify key store provider information in column master key definitions in the database, and verify all custom key store providers used in your application are registered properly.
at com.microsoft.sqlserver.jdbc.SQLServerConnection.getSystemOrGlobalColumnEncryptionKeyStoreProvider(SQLServerConnection.java:1023)
at com.microsoft.sqlserver.jdbc.SQLServerSymmetricKeyCache.getKey(SQLServerSymmetricKeyCache.java:90)
at com.microsoft.sqlserver.jdbc.SQLServerSecurityUtility.decryptSymmetricKey(SQLServerSecurityUtility.java:232)
at com.microsoft.sqlserver.jdbc.SQLServerSecurityUtility.decryptWithKey(SQLServerSecurityUtility.java:278)
at com.microsoft.sqlserver.jdbc.ServerDTVImpl.getValue(dtv.java:3739)
at com.microsoft.sqlserver.jdbc.DTV.getValue(dtv.java:247)
at com.microsoft.sqlserver.jdbc.Column.getValue(Column.java:190)
at com.microsoft.sqlserver.jdbc.SQLServerResultSet.getValue(SQLServerResultSet.java:2081)
at com.microsoft.sqlserver.jdbc.SQLServerResultSet.getValue(SQLServerResultSet.java:2067)
at com.microsoft.sqlserver.jdbc.SQLServerResultSet.getString(SQLServerResultSet.java:2538)
in JdbcHelperImpl.getObject(JdbcHelperImpl.java:306)
In the Advanced tab of the connection configuration, I set the following properties:
columnEncryptionSetting = Enabled
enclaveAttestationProtocol = AAS
enclaveAttestationUrl = https://{attestationService}.eus.attest.azure.net
encrypt = true
What other settings do I need to provide?
Related
Want to use signed encryption scope while generating SAS token and then get a blob which has used same scope during the time of upload. Currently it's throwing 403- unauthorized error when I try to fetch a blob which was uploaded to backend using same customer-managed encryption key.
This error may cause if the key has been disabled or deleted, access to customer-managed keys has been revoked, or your access token activation time is expired
Please check that you followed the below workaround correctly
After clicking key vault and key, try to generate a new key vault and key after clicking them to prevent an error. In Encryption scopes check you have given valid key vault and key and infrastructure encryption should be Enable as below
when you try to fetch a blob which was uploaded to backend using same customer-managed encryption key check whether your authentication type should be in account key, and you choose existing scope is valid as below
Once you upload a blob ensure you have generate SAS token and URL and try to use blob SAS URL for accessible
Reference: Authorize with Shared Key and Forbidden (403), Unauthorized (401),
I'm trying to encrypt my sensitive data for an application. For the key generation part, I'm using crypto/pbkdf2. I'm generating the encryption key on the fly based on the user supplied password. When a user is created, that's when I'm encrypting the corresponding data of the user with the user's supplied password. However, whenever that particular user tries to access a resource, I've to decrypt the data before showing it to the user. Where do I get the password from, everytime an endpoint is called by that user to access a resource?
Note: I'm storing the hashed password of the user in the database schema, also I don't want to store the encryption password anywhere!
The typical solution to this is called token-based authentication (or in OAuth terms, Resource Owner Password Credential Flow).
Create a "login" endpoint that will derive the encryption key from the supplied username/password and exchange it for a (time-limited) "access token", storing it in a key-value store with TTL support (e.g. etcd, Redis).
Then each subsequent request will need to supply the access token (e.g. in the Authorization header), which is then used to retrieve the encryption key from the key-value store.
I am attempting to abstract the authorization/authentication from my upstream services into Kong API gateway. Previously, I was using express + passport to handle sessions. Whenever a user logs in with their credentials a session would be created with their user info attached to the req object (req.user).
Currently, I am using API keys + session + serverless functions to compare user passwords (using bycrypt lua library) from a file mapped into the Kong container. The client would send an initial login (with username and password) request with an API key to log in, the serverless function would compare the password hashes, if all that passes, the session would get created.
However, my question is, is there a way to store the user info into the session database, so my upstream service can ask for that information to ensure that the session attached to the user logged in is valid at any given time?
Any ideas even if not related to Kong would be appreciated!
When creating a new session on Kong, you can explicitly provide the unique Key used to identify a session (by default created by KONG itself).
When The password checks pass and you are generating a session on Kong you can create your own unique key and use that key while creating the session.
Kong_admin = 'http://localhost:8001'
kong_session = {'key': 'any-unique-combination'}
#any unique combination which you would like to use for identifying the session
user = 'test-user#dummy.com'
#create a session for this dummy user using your key
response = requests.post('%s/consumers/%s/jwt' % (Kong_admin, user),data=kong_session)
#Once the session is created you can find it using
resp = requests.get('%s/consumers/%s/jwt/any-unique-combination' % (Kong_admin, user))
# you can use this key in your token payload so your upstream service can decrypt the
# payload and get this key and you can store this key in your database mapped with
# user during session creation.
# with this you ll be able to decrypt any session payload , get a key and then query
# it on database at any point of time
I assume that the PutS3Object processor can resolve a reference to the Access Key and Secret Key as these two configuration parameters support expression language. But I am unable to get it to work.
I have successfully put files into an S3 bucket by configuring the PutS3Object processor with the Access Key and Secret Key with the actual values. But, when I try to set those values in an UpdateAttribute processor and then use an expression to reference the attributes in the Access Key and Secret Key settings they do not appear to be set and the put object call fails.
Following is the error message when Access Key and Secret Key are defined as ${s3.accessKey} and ${s3.secretAccessKey} respectively. Those two attributes have been set in an UpdateAttribute processor prior to the PutS3Object processor.
com.amazonaws.services.s3.model.AmazonS3Exception: The authorization header is malformed; a non-empty Access Key (AKID) must be provided in the credential. (Service: Amazon S3; Status Code: 400; Error Code: AuthorizationHeaderMalformed;
com.amazonaws.services.s3.model.AmazonS3Exception: The authorization header is malformed; a non-empty Access Key (AKID) must be provided in the credential.
I'm afraid the expressions allowed for AWS access key properties do not include FlowFile attributes. The expressions are intended to be used with globally configured "Variable Registry" values, so that access keys can provided as part of the server deployment. The feature is described under Custom Properties in the NiFi System Administrator's Guide.
Allowing FlowFile attributes would require a feature request via the NiFi JIRA ticket system.
I want to use OAuth JWT token for authorization. By some reasons (osgi container) I can't use spring-oauth-security.
In the readme of spring-oauth-security I have found a quote:
The JSON Web Token (JWT) version of the store encodes all the data about the grant into the token itself (so no back end store at all which is a significant advantage).
https://github.com/spring-projects/spring-security-oauth/blob/master/docs/oauth2.md
I am absolutely don't catch "no back end store at all". There are two cases in jwt:
symmetric key or shared secret (HMAC);
Verifier key is a shared secret and is available by /token_key URL.
Question 1: I should store shared secret on server for each registered user. Why "no back end store at all"?
asymmetric key (RS/ES);
/token_key returns public key (without principal).
Question 2: But why we use only one public key for all users? It is unable to generate more than one private key for the same public key in rsa, isn't it? Only one pair private key - public key is allowed in RSA.
I don't understand a flow and why "no back end store at all".
You do not use different keys per user but per Identity Provider.
Identity Provider signs a JWT with a key and you are able to validate it for each user without a backend lookup. For JWT validation you only need a key related to the Identity Provider - even if you store it on some DB, you could fetch it once and cache it. For assymetric keys, OIDC even defines a URL to fetch the public key(s) used for signature.
The key is used to trust the Identity Provider and thus implicitly the identities it provides.
This is quite good article on the topic:
https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/