openwhisk-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dan McWeeney <>
Subject Parameter Encryption
Date Tue, 26 Nov 2019 21:41:20 GMT
We have had some questions from users around how default parameters (action and package) are
or are not encrypted at rest and as they move through the system. Today they are obviously
not being encrypted and that has been an impediment to adoption for certain use cases ( especially
web actions ).

I’ve gone ahead and taken a first shot at automatically encrypting parameters as they are
updated / created in the system[0]. The PR change slightly how the parameters are stored in
the DB to allow each parameter to be marked if it was encrypted and with what algorithm. This
enables the system to handle existing unencrypted parameters but slowly “migrate” data
to the new storage format. The parameters move over kafaka encrypted as well and aren’t
decrypted until just before being sent to the action[1].

The code that handles the unpacking on the other side of kafka is a bit rough[2] due to how
the action is serialized before being placed into kafka. Any thoughts on improving that would
be appreciated, I didn’t want to go as far as changing the Kafka serialization if others
weren’t interested in this kind of improvement.

The PR is still a bit of  WIP as I sort out the packaging of the larger key sizes in java
crypto, we wanted to use AES256 which I can’t seem to coax into the jar.

For those of you in the US, Happy Thanksgiving!


[0] -
[1] -
[2] -

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message