Recently, I ended up taking on the task of setting up at rest encryption for a DynamoDB we were going to use on our project. By the time I volunteered, we had decided on using the aws-dynamodb-encryption-java library. Amazon’s own examples in the documentation seemed fairly straight-forward, so we figured it would be fairly simple.
Either I love over-complicating things, or it maybe was not so simple. Initially, we tried to rig a solution invovling envelope encryption. I had imagined that we could use Amazon KMS to manage our keys, and then use the DirectKMSMaterialsProvider as an EncryptionMaterialsProvider (both elements provided by the above library).
This solution, however, would not be Bouncy Castle FIPS compliant, a must for Federal Contracting. So instead, we decided on replicating some of the implementation from a previous project, which uses client side encryption to lock down a postgres database. Ultimately, since the entire payload of the DDB gets encrypted and since the ultimate implementation isn’t, in fact, envelope encryption, most of the actual code for this will be scrapped before we go to production. Still, I learned a fair deal about the process! Below I’ve copied a lot of the notes I jotted down during the process
With that in mind, we’re taking the crypto tools used in that previous project, importing them into the current project, and comparing and contrasting the code used to encrypt the data.
Right now, we’re trying to get the Self-Signed Cert from which we pull the private and public keys
Nightmarishly, AttributeEncryptor as it was above can’t be cast, because it’s from s3, so, instead, I’m trying to build provider from the ddb code
Unfortunately, EncryptionMaterials is Abstract and cannot be instantiated like they are in s3
Additionally, the EncryptionMaterialsProvider uses a SymmetricStaticProvider in Amazon’s test code, so I’m trying to go with that
instead of the Asymmetric version we were looking at with the s3 version
which I don’t understand, so.
CryptoService to the rescue, with it’s ability to generate an encryptionKey (the secret key) and to retrieve the keypair that we need for the SymmetricStaticProvider
Compiles properly, but now all the ENV vars I set up need to be added to the Dockerfile
In turn, it’ll boot up, but bouncycastle fips isn’t installed on it.
— — — May 19th — — -
Turns out, once the provider was added, it worked like a charm
Then, we passed in the provider to the Mapper, and the rest of the app functioned fine
Not sure how to prove it is, in fact, encrypting the data, buuuuuut
Harrison Lavin [11:36 AM]
Thanks to the inestimable Aaron Shaf, we may have a way forward
dynamo-local-admin-docker — A combined docker image with DynamoDB-Local and dynamo-admin.
Harrison Lavin [12:39 PM]
It turns out, we do!
by swapping out the previous docker image (which just had the DDB image, no dynamo-admin), with the above, we were able to take a look at the DDB as it was being worked on
A case could be saved and retrieved using swagger, free of issue.
But! If you tried to access that case from dynamodb-admin, it came back as an encrypted mess.
Only by retrieving using swagger were we able to read the data properly
As far as I understand encryption, we’ve done it!