I hear what you are saying. Once I have all the working pieces in place I will be diving more into the encryption methodology. I believe there's going to be a limit to what can be implemented because of the use cases. Saying that, I'm open to feedback, ideas and pull requests.
-----Original Message----- From: Antonio Sanso [mailto:asa...@adobe.com.INVALID] Sent: Monday, November 13, 2017 1:35 AM To: dev@sling.apache.org Subject: Re: value level encryption EXTERNAL hi Jason, leaving aside the API design for a second and focusing on the mere crypto. I would really be careful on what you are defining as default. AES ECB is almost = to no encryption. Same as providing a fixed IV... just saying..... regards antonio On Nov 10, 2017, at 9:53 PM, Jason Bailey <jason.bai...@sas.com> wrote: > Wanted to give a heads up in the direction I'm going with this. > > https://github.com/JEBailey/sling-encrypt > > CipherProvider is a service interface to provide pre-initialized Cipher > Objects for encoding and decoding content. > EncryptionValueMap encompasses the functionality to encrypt and decrypt > specific fields, currently focusing on String and String[] value types. Put > and Get methods not implemented yet. > EncryptionValueMapDecorator to wrap a map. > > For the EncryptionValueMap, I'm recording the properties that are encrypted > in a separate property field, so that accessing those fields can be done > seamlessly from any place that you are instantiate the EncryptionValueMap. > > Feedback appreciated. > > -----Original Message----- > From: Justin Edelson [mailto:jus...@justinedelson.com] > Sent: Friday, November 03, 2017 3:37 PM > To: dev@sling.apache.org > Subject: Re: value level encryption > > EXTERNAL > > In AEM, posting encrypted properties to /etc/cloudservices is historically > the primary use case for @Encrypted, but the PostProcessor applies to all > post requests. > > I think this would be a useful addition to Sling. We may want to have some > kind of SPI to support different encryption schemes, but that's an > implementation detail. > > Regards, > Justin > > > On Fri, Nov 3, 2017 at 2:48 PM Jason Bailey <jason.bai...@sas.com> wrote: > >> They only docs I can find on that, assuming we're talking AEM, >> mentions it only works for posting things into /etc/cloudservices. So that's >> out. >> It's been a while, but I'm under the impression that all >> implementations of the java platform now come with a certain level of >> crypto >> >> https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html >> >> I'd probably add a configuration so you could define the level of >> cryptography, and then that would allow people who needed a higher >> level to install their own providers. Is this something that Sling >> would be interested in? Since I'm going to be writing this, if you're >> interested, I'd rather write it with the intent of directly donating it. >> >> >> >> -----Original Message----- >> From: Justin Edelson [mailto:jus...@justinedelson.com] >> Sent: Friday, November 03, 2017 1:35 PM >> To: dev@sling.apache.org >> Subject: Re: value level encryption >> >> EXTERNAL >> >> We have this in our commercial product. At a high level, the way it >> works is that there is a PostProcessor which looks for an @Encrypted >> postfixed property and, if that is present, the corresponding >> property is stored in an encrypted fashion. Decryption is all done >> manually, although personally the idea of an EncryptionValueMap seems really >> cool to me. >> >> I believe the challenge in bringing this into Sling relates to the >> encryption libraries. >> >> On Fri, Nov 3, 2017 at 8:45 AM Jason Bailey <jason.bai...@sas.com> wrote: >> >>> Here's the use case >>> >>> My organization has decided that to conform to the GDPR, any >>> sensitive data should be encrypted while at rest. From a Sling >>> perspective that is a challenge since we've empowered the authors to >>> create forms the way they want. So to be on the safe side, we're >>> looking at encrypting all form fields as they are persisted, and >>> then decrypting the values from the resource when we need to processes >>> them. >>> >>> Now I'm thinking of an EncryptionValueMap that will simplify this >>> process and encapsulate the functionality. You guys are usually >>> ahead of me when I come up with this stuff and I don't like >>> replicating effort. So is there any functionality currently or >>> planned to handle encryption of resource values? >>> >>> Thanks >>> Jason >>> >>