Hi all,
this is probably a question to our mentors: Users in StreamPipes are able to configure data sinks (e.g., a sink that stores data in a MySQL database). In the configuration, users can (for example) enter a database password. I'm currently working on an improved authentication/authorization system for StreamPipes and as part of this, such passwords should be stored in our internal database in an encrypted way (and decrypted once a pipeline is started based on a secret key providing by users as an env variable). For this, we would import packages from javax.crypto and include a library called Jasypt [1] for encryption/decryption, which is Apache licensed and approved for export. I've read through the ASF regulations on usage of crypto software [2] and wonder if an ECCN filing for StreamPipes is needed when using this library or javax.crypto imports? It would be great to receive some advice on this. Thanks! Dominik [1] https://github.com/jasypt/jasypt [2] https://infra.apache.org/crypto.html [3] What is Jasypt's export classification in the United States of America? Although Jasypt does not implement nor distribute in any of its forms any cryptographic algorithms, it can use them via the Java Cryptography Extension API and, as such, it is classified under ECCN code 5D002 and approved for export under License Exception TSU.
