Data exchange encryption

In today’s digital landscape, ensuring the security and integrity of data exchange processes is most important for businesses across all industries. While current data exchange methods in Synerise involving files or HTTPS requests are secured with protocols, some organizations may require an additional layer of protection for sensitive information.

To address these heightened security needs, Synerise lets you improve the security of your data transfers by decrypting incoming data and encrypting outgoing data by RSA or AES keys which you can add in Synerise.

These keys can be used while preparing data transformation rules in the form of Encrypt Data and Decrypt Data nodes, which can help you encrypt and decrypt data in the files which you retrieve or export outside Synerise.

This feature is primarily tailored for enterprise customers seeking to secure their data exchange processes and uphold highest security standards.

Purposes

You can use RSA or AES keys for the following purposes:

Logic

The process of adding the key is determined by the distinct logic provided by AES and RSA keys.

AES keys

In Synerise’s data exchange encryption process, you bring your own Data Encryption Key (DEK) to encrypt and decrypt data within our system. Synerise provides you with the Key Encryption Key (KEK) which you must use to wrap your DEK to secure the transmission of the encrypted data and to restrict access only to authorized users. This process looks as follows:

1. Download a workspace key encryption key (KEK) from Settings > Encryption Key.

2. Wrap your AES-256 secret key using the downloaded key encryption key and a Python script below.
   The script will use RSA-OAEP padding with SHA-256 to print a wrapped AES-256 key to standard output.

   Click to expand the script

   from cryptography.hazmat.primitives.asymmetric import padding
   from cryptography.hazmat.primitives import hashes
   from cryptography.hazmat.primitives.serialization import load_pem_public_key
   import click
   import base64
   import json
   
   
   def encrypt_key(public_key, secret_key):
       '''
       This function takes PEM encoded public key and AES secret key in base64 encoded form and wraps the AES secret using public key.
       The public key for wrapping may be downloaded from UI or using Synerise API endpoint /workspace-wrapping-key and is global for each workspace.
       '''
       padding_config = padding.OAEP(
               mgf=padding.MGF1(algorithm=hashes.SHA256()),
               algorithm=hashes.SHA256(),
               label=None
           )
       padding_config = init_cipher(public_key)
       encrypted_data = public_key.encrypt( secret_key, padding_config)
       return encrypted_data
   
   @click.command()
   @click.option('--public-key', 'public_key', required=True, help='RSA wrapping public key')
   @click.option('--secret-key', 'secret_key', required=True, help='Base64 encoded secret key to wrap and upload')
   def wrap_key(public_key: str, secret_key: str):
       '''
       Script main function. Requires packages:
           "click>=8.2.1",
           "cryptography>=45.0.5",
       '''
       key = public_key
       secret_key_bytes = base64.b64decode(secret_key)
       # prepare PEM key from Synerise format i.e. add prefix and suffix plus split into lines with 64 characters
       lines = ["-----BEGIN PUBLIC KEY-----"]
       while True:
           if len(key) >= 64:
               lines.append(key[:64])
               key = key[64:]
           else:
               lines.append(key)
               break
   
       lines.append("-----END PUBLIC KEY-----")
       public_key_in_lines = "\n".join(lines)
   
       # load pem public_key
       public_key = load_pem_public_key(public_key_in_lines.encode())
       # encrypt does wrap on AES DEK key
       encrypted_key = encrypt_key(public_key, secret_key_bytes)
       wrapped_key = base64.b64encode(encrypted_key).decode('utf-8')
       print(wrapped_key)
   
   if __name__ == "__main__":
       wrap_key()

3. Upload the output of the above script to Synerise while adding an AES encryption key.

RSA keys

When you add an RSA key type to Synerise, you only need to provide the public key while ensuring the private key is securely stored in a safe location. This means that the process of adding the RSA key only requires providing your public key.

Statuses

An encryption key can receive the following statuses:

• Enabled - A key receives this status after creating. The key is ready for use.
• Pending - A key receives this status when it’s activation date is set for the future.
• Revoked - After being revoked, a key and its versions are labeled as revoked. A key in this state cannot be used and its status cannot be changed.
  
  WARNING: Revoking a key used in a transformation rule within a running workflow will cause that workflow to stop working.
• Expired - This status can be assigned to a key version. The encryption key version with this status cannot be used.

Requirements

You must have a user role with the following permissions:

• Settings > Encryption keys > Read - To preview list of encryption keys, preview list of encryption keys in Encrypt Data and Decrypt Data nodes in Data Transformation;
• Settings > Encryption keys > Create - To create an encryption key;
• Settings > Encryption keys > Edit - To add a key version, to revoke the key;

Adding an encryption key

The procedure involves downloading a key encryption key (KEK) which you will use to encrypt (or decrypt) your data encryption key (DEK). After you encrypt your key with the KEK, you can paste it in the form. Additionally, you can define the name of the key, add a description to the key (to let other workspace users know what is the purpose of the key), activation and expiration dates.

1. Go to Settings > Encryption keys.

2. In the upper-right corner, click Add Encryption Key.

3. From the dropdown list, select the key type:

   • Symmetric key (AES)
   • Asymmetric key (RSA)
     Result: A pop-up appears.

   

4. If in the previous step:

   • you selected Symmetric key (AES), click Download.
     Result: A key encryption key is downloaded to your device. Make sure you wrap your DEK with this key and script provided in Logic for AES keys.
   • you selected Asymmetric key (RSA), click Next step. Result:

   

5. In Data Encryption Key:

   • if you are adding AES key, paste the wrapped key.
   • if you are adding RSA key, paste the public key.

6. In Data Encryption Key name, enter the name for your key for the purposes of identifying the key on the list of encryption keys.

7. In Description, enter the purpose of the encryption key.

8. Optionally, to define the activation and/or the expiration dates for the encryption key, enable Activate at specific date and/or Expire at specific date options, respectively. From the calendar, select the dates.
   If you don’t provide:

   • the activation date, the key will be saved to be activated on the current date;
   • the expiration date, the key will never expire.

9. Confirm the settings by clicking Apply.
   Result: The key is saved and ready for use.

Adding a key version

1. Go to Settings > Encryption keys.
2. On the list of encryption keys, find the one to which you want to add a version.
3. Next to the name of the encryption key, click .
4. From the dropdown list, click Add new version.
5. Perform the steps from step 4 from the Adding encryption key section.
   
   Important: You can only upload your key wrapped with key encryption key and optionally, define the activation and expiration dates for it.

Revoking a key

You can revoke a key, for instance, in the event of a key leak. Revoking a key will also revoke all of its versions. This action is irreversible and will break the integrations which use the key.

1. Go to Settings > Encryption keys.
2. On the list of encryption keys, find the one to which you want to revoke.
3. Next to the name of the encryption key, click .
4. From the dropdown list, click Revoke.
   Result: A pop-up appears.
5. Confirm the execution by clicking Yes, revoke.