Guides

File encryption

Suggest Edits

🚧

Encryption is required for all evidences. Please refer to the reference design for guidance about the different encryption libraries.

For security reasons, it is a requirement that all files be encrypted before they are sent to Clearance (principle of edge device encryption).
The encryption standard for clearance is the Azure Blob Storage client-side encryption.

To encrypt an evidence item,

  1. Retrieve the user's public key from the Key Store Service API.
  2. Generate locally a new one time use symmetric AES256 key for the file (AES_CBC_256).
  3. Encrypt the file using the generated AES256 key with a padding PKCS7 (and upload at the same time).
  4. Wrap the AES256 key using RSA-OAEP.
  5. Send the encrypted key to the Azure Blob storage metadata named x-ms-meta-encryptiondata See azure SDK.
  6. Once the encryption metadata is sent, complete the resource/evidence.*

Example metadata (Json/C#)

{
   "ContentEncryptionIV":"3wpX+/BH7lI3GzNm9PAdng==",
   "EncryptionAgent":{
      "EncryptionAlgorithm":"AES_CBC_256",
      "Protocol":"1.0"
   },
   "EncryptionMode":"FullBlob",
   "WrappedContentKey":{
      "Algorithm":"RSA-OAEP",
      "EncryptedKey":"Bhm18f+hikcK5EMqMS28SgYRqIqCnuZMpEyJME6vsOo+2AUtvh3wWjYdNBP29PQ4MH2l5yHAJmKu0AIa/A3bmOm+tFIXfXkwQug9r7fCy8HOUK6Jhf2T/SqwGcjqOfbALkSQ74X6n1X+6C32cVhccfz7vFtVYKbGhKn81xTQqn2f15C417OKIsuZLdWIcTOqEE+OW4ouZT0900I4M6rYk28GmV3Bht59bVI3hIk5DuI3obFeYR0YpKZGkONxPyNsCnz5xmmth/SVl8/SRlmtFHf43H2zyeFmol3qdLYEngJaW1cmeCj6ArBIVYH6eEbFPg2Cu+bvmxL5qHtinjLVHA==",
      "KeyId":"https://dems-prod-eus-keyvault.vault.azure.net/keys/genetec-key/7b2cad59333347b989beccad2144d4ff"
   }
}

[ExcludeFromCodeCoverage]
internal class EncryptionDataModel
{
  public byte[] ContentEncryptionIV { get; set; }

  public EncryptionDataAgentModel EncryptionAgent { get; set; }

  public string EncryptionMode { get; set; } = "FullBlob";

  public object KeyWrappingMetadata { get; set; }

  public EncryptionDataContentKeyModel WrappedContentKey { get; set; }
}

[ExcludeFromCodeCoverage]
internal class EncryptionDataContentKeyModel
{
  public string Algorithm { get; set; } = "RSA-OAEP";

  public byte[] EncryptedKey { get; set; }

  public string KeyId { get; set; }
}

[ExcludeFromCodeCoverage]
internal class EncryptionDataAgentModel
{
  public string EncryptionAlgorithm { get; set; } = "AES_CBC_256";

  public string Protocol { get; set; } = "1.0";
}

Updated almost 3 years ago