File encryption


Encryption is required for all evidences. Please refer to the reference design for guidance about the different encryption libraries.

For security reasons, it is a requirement that all files be encrypted before they are sent to Clearance (principle of edge device encryption).
The encryption standard for clearance is the Azure Blob Storage client-side encryption.

To encrypt an evidence item,

  1. Retrieve the user's public key from the Key Store Service API.
  2. Generate locally a new one time use symmetric AES256 key for the file (AES_CBC_256).
  3. Encrypt the file using the generated AES256 key with a padding PKCS7 (and upload at the same time).
  4. Wrap the AES256 key using RSA-OAEP.
  5. Send the encrypted key to the Azure Blob storage metadata named x-ms-meta-encryptiondata See azure SDK.
  6. Once the encryption metadata is sent, complete the resource/evidence.*

Example metadata (Json/C#)

internal class EncryptionDataModel
  public byte[] ContentEncryptionIV { get; set; }

  public EncryptionDataAgentModel EncryptionAgent { get; set; }

  public string EncryptionMode { get; set; } = "FullBlob";

  public object KeyWrappingMetadata { get; set; }

  public EncryptionDataContentKeyModel WrappedContentKey { get; set; }

internal class EncryptionDataContentKeyModel
  public string Algorithm { get; set; } = "RSA-OAEP";

  public byte[] EncryptedKey { get; set; }

  public string KeyId { get; set; }

internal class EncryptionDataAgentModel
  public string EncryptionAlgorithm { get; set; } = "AES_CBC_256";

  public string Protocol { get; set; } = "1.0";