Skip to content

README.md

Latest commit

 

History

History
60 lines (44 loc) · 2.77 KB

README.md

File metadata and controls

60 lines (44 loc) · 2.77 KB

Simple Rekey Example

Rekeying encrypted data changes the KMS config needed to decrypt the data without touching the data itself. This is done by unwrapping just the encrypted document encryption key (EDEK) and then re-wrapping it using a new config. The EDEK can be re-wrapped to a new tenant, or to its existing tenant as a way of updating the primary config used.

In order to run this example, you need to be running a Tenant Security Proxy (TSP) on your machine. Check the README.md file in the parent directory to see how to start the TSP, if you haven't done so yet.

Once the TSP is running, you can experiment with this example java program. It illustrates the basics of how to use the Tenant Security Client (TSC) SDK to rekey data. The example code contains three parts:

  • Encrypting a customer record to a tenant
  • Rekeying the encrypted record to a new tenant
  • Decrypting the encrypted record with the new tenant

To run the example, you will need to have a Java JRE 17+ and Maven installed on your computer.

export API_KEY='0WUaXesNgbTAuLwn'
mvn package
java -cp target/rekey-example-0.1.0.jar com.ironcorelabs.rekey.RekeyExample

We've assigned an API key for you, but in production you will make your own and edit the TSP configuration with it. This should produce output like:

Using tenant tenant-gcp
Rekeying to tenant tenant-aws
Decrypting with tenant tenant-aws
Decrypted SSN: 000-12-2345
Decrypted address: 2825-519 Stone Creek Rd, Bozeman, MT 59715
Decrypted name: Jim Bridger

The decrypted output is printed after encrypting, rekeying, and then decrypting the customer record.

When you run the example, you should see a number of INFO outputs generated by your TSP indicating that it was wrapping a new DEK using the KMS, rekeying to a new tenant, then unwrapping an EDEK.

The initial tenant and new tenant could be the same in order to rekey data to the tenant's current primary config. If you would like to experiment with a different initial tenant, just do:

export TENANT_ID=<initial-tenant-ID>
env $(cat ../demo-tsp.conf) java -cp target/rekey-example-0.1.0.jar com.ironcorelabs.rekey.RekeyExample

The list of available tenants is listed in the README.md in the parent directory.

If you set the tenant to tenant-gcp-l and run the program, then compare the logs generated by the TSP to the logs generated when you use tenant-gcp, you can see the difference between using a KMS configuration that has key leasing enabled versus one that does not.

Additional Resources

If you would like some more in-depth information, our website features a section of technical documentation about the SaaS Shield product.