openwhisk-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodric Rabbah <>
Subject Re: Parameter Encryption
Date Wed, 27 Nov 2019 16:17:09 GMT
Hi Dan. Are you creating a signing key per namespace and storing it with the identity record
or using a global key? I haven’t looked at the PR yet. 


> On Nov 26, 2019, at 4:41 PM, dan McWeeney <> wrote:
> We have had some questions from users around how default parameters (action and package)
are or are not encrypted at rest and as they move through the system. Today they are obviously
not being encrypted and that has been an impediment to adoption for certain use cases ( especially
web actions ).
> I’ve gone ahead and taken a first shot at automatically encrypting parameters as they
are updated / created in the system[0]. The PR change slightly how the parameters are stored
in the DB to allow each parameter to be marked if it was encrypted and with what algorithm.
This enables the system to handle existing unencrypted parameters but slowly “migrate”
data to the new storage format. The parameters move over kafaka encrypted as well and aren’t
decrypted until just before being sent to the action[1].
> The code that handles the unpacking on the other side of kafka is a bit rough[2] due
to how the action is serialized before being placed into kafka. Any thoughts on improving
that would be appreciated, I didn’t want to go as far as changing the Kafka serialization
if others weren’t interested in this kind of improvement.
> The PR is still a bit of  WIP as I sort out the packaging of the larger key sizes in
java crypto, we wanted to use AES256 which I can’t seem to coax into the jar.
> For those of you in the US, Happy Thanksgiving!
> -d
> [0] -
> [1] -
> [2] -

View raw message