Enhanced Account Encryption

In this article

Overview

Organizations using self-managed Snaplexes (Groundplexes) can subscribe to Enhanced Encryption. With Enhanced Encryption, in contrast to Standard Encryption, organizations create their own private keys and do not share them with SnapLogic. The UI encrypts Account data with a public key and the Groundplex decrypts it with a private key.

Starting the Snaplex for the first time automatically generates the data keys. The keys need to be manually synced across the Groundplex nodes. The account data encryption keys are located in the /etc/snaplogic directory. The jcc-datakeys.jks file is the keystore and the jcc-datakeys.pass is the password for the keystore. The same set of keys should be used on all the Groundplexes nodes across the whole Org.

For TLS connections, the Snaplex also maintains SSL certificates. These are also in the /etc/snaplogic directory, the jcc-serverkeys.jks file is the keystore and jcc-serverkeys.pass is the password for the keystore. These should be unique for each node and, therefore, should not be synced across the Groundplex nodes. The certificates are not used for account encryption but for TLS connections only.

Workflow

To enable Enhanced Encryption, follow the high-level steps listed here. Find the detailed procedures below.

  1. A Snaplex administrator:

    1. Restarts the SnapLogic service on one Snaplex node to generate the keystores and password files.

    2. Copies the data keystore and data password file to the other nodes for each Snaplex node.

    3. Restarts all Snaplex nodes.

  2. In SnapLogic Manager, an Org admin:

    1. Enables Enhanced Encryption

    2. Selects the encryption sensitivity (sensitivity determines how many Account fields will be encrypted)

    3. Selects the public key. After Enhanced Encryption is enabled, an Org admin can rotate the key. Running Pipelines continue executing while the key is being rotated.

After Enhanced Encryption is enabled for an Org:

  • All Accounts are sent to the Groundplex to be decrypted with the old key and encrypted with the new key.

  • Encrypted Account fields do not display values, as shown below. However, you can change the value by entering and saving a new one.

  • If an Org admin changes the encryption sensitivity level from Low, Medium, High to High, existing accounts remain at the previous level unless you update them. Changing from High to Low, Medium, High causes account data to be encrypted. All new Accounts follow the updated sensitivity encryption level.

  • The encrypted data is not automatically decrypted if you revert from Enhanced to Standard encryption. The encrypted values continue to work as long as the server key is still in the node.

  • Accounts that were exported when the Org used the old key have the sensitive fields encrypted with the old key. When an Account is imported into the Org after the key is rotated, it is imported with the old key. To convert these imported accounts to the new key, go to Manager and redo the key rotation with the new key.

Best Practices

We strongly recommend the following:

  • Make backup copies of the generated data keystore and password files. Otherwise, if the data keys become corrupted and unrecoverable, you must manually re-enter all sensitive Account field values to recover connectivity.

  • Do not change an Org that uses Enhanced Encryption back to Standard Encryption. If you do so, existing OAuth 2.0 accounts will not function; you must re-create them.

Prerequisites

The following requirements must be met to use Enhanced Encryption.

  • Google Chrome version 37 and later.

  • Java 11 environment.

  • For nodes deployed on Linux OS, the latest version of the RPM/DEB SnapLogic installer. 

  • Snaplexes can be deployed either on Windows or Linux operating systems. However, for a Snaplex on the Windows OS, you must encrypt the data keys on a Linux machine and copy it to the nodes running on Windows.

Limitations

  • The script that generates and updates the data keystore is supported only on Linux OS. You can generate the keystore and password file on a Linux machine and copy them to a Windows machine. If all of a self-managed Snaplex’s nodes are on Windows machines, install the Linux RPM (Snaplex installation package) on a Linux machine solely for the purpose of generating or updating the key store using the jcc.sh script.

  • To use Enhanced Encryption, an Org cannot have a mixture of self-managed Snaplexes and those managed by SnapLogic. Before enabling Enhanced Encryption, work with SnapLogic support to remove Cloudplexes from the Org or convert them to Groudplexes.

Preparing Snaplex Nodes for Enhanced Encryption

Enhanced Encryption key sizes are not supported in the SnapLogic managed Snaplex installation. After restarting the SnapLogic service, a new key pair is generated automatically and saved to disk, per JCC node. You must copy the generated data files, jcc-datakeys.jks and jcc-datakeys.pass, from one node to all of the others for that Groundplex. 

Server Keys

Server keys (jcc-serverkeys.jks and jcc-serverkeys.pass) must be unique per JCC node. Do not copy server keys across all nodes.

On Linux Operating Systems

To enable Enhanced Encryption on a Linux machine, follow these steps:

  1. On the machine hosting a node, restart the node.

  2. Find the keys in the  /etc/snaplogic folder.

  3. Copy the jcc-datakeys.jks and jcc-datakeys.pass files to the machines hosting the other Snaplex nodes.

  4. Restart the SnapLogic service on each node.

During startup, the nodes upload their public keys to the SnapLogic cloud. Org admins can view the keys in the Encryption Settings dialog.

On Windows Operating Systems

As mentioned previously, you must generate the data keys on a Linux machine by downloading a Linux installation package and starting a node. To prepare nodes on Windows machines:

Recommendation

Data keys are the same across JCC nodes; however, the server keys are unique for each JCC node. You should generate the data keys on a Linux machine and copy them to the folder pointed to by the SL_KEY_DIR property on the Windows machine. Only the system admins on the node must have access to this directory.

  1. Find the jcc-datakeys.jks and jcc-datakeys.pass in the /etc/snaplogic folder of the Linux machine.

  2. Copy the data key files to a directory on the Windows machine that only security administrators and users running the Snaplex node can access. 

  3. Add the directory name as the value of a new SL_KEY_DIR Java property in the Snaplex configuration file:

    1. Navigate to the target Snaplex in Manager and click to open it.

    2. Click the Node Properties tab, and under Global Properties, click 

       to enter the key-value pair.

       

    3. Add the following in the Snaplex property, where Value is the location of the data keys. For example:

    4. Click Update.

  4. Restart the SnapLogic service on all nodes with the updated slpropz configuration.

Enabling Enhanced Encryption in SnapLogic

Before enabling Enhanced Encryption, verify that the same data key is used on all nodes for a given Snaplex. To configure Enhanced Account Encryption for your SnapLogic Org:

  1. Log in as an Org admin and navigate to Manager.

  2. From the left menu, select Settings.

  3. Scroll to Account Data Encryption and click Configure Encryption.

     

  4. On the Groundplex tab of Encryption Settings, select Enhanced encryption.

  5. Select the level of sensitivity:

     

    High. Encrypts passwords and secret keys
    Medium and High. Encrypts usernames, passwords, and secret keys
    Low, Medium, and High. Encrypts host name, database names, database URL properties, usernames, passwords, and secret keys.

     

  6. To set a key for the entire Org, select the target key. Only keys that are available on all nodes are displayed.

  7. Confirm the new key. This configuration causes all accounts to be decrypted using the existing keys and then re-encrypted with the newly selected Org-level key.

  8. Click Update to apply enhanced encryption. 

When you view the Org Settings, the new status is displayed under Configure Encryption with the following fields:

 

Groundplex processing status

 

Groundplex processing status

Status

Indicates if the Groundplex processing has been successfully executed without encountering errors or issues.

Description

The number of accounts encrypted and processed out of the total number of accounts.

Last Update

The timestamp of the last update or completion of the Groundplex processing operation.

Rotating Private Keys

To rotate the Enhanced Encryption key, follow these steps:

  1. Install the latest Snaplex RPM/DEB installation package on one of the Groundplex nodes that is already using Enhanced Encryption. This step is required to get the new addDataKey option in the jcc.sh script.

  2. As the root user, run the following command. This command generates a new key pair and appends it to the keystore in the /etc/snaplogic folder with the specified alias. In the example, the alias is keyFeb2020:

    /opt/snaplogic/bin/jcc.sh addDataKey keyFeb2020
  3. Copy the generated data keys files (jcc-datakeys.jks and jcc-datakeys.pass) from this node to all the others for the Snaplex, similar to when originally setting up Enhanced Encryption.

  4. Restart the nodes. This step is required to pick up the updated key pair. To do an online restart, use the Snaplex restart option in the Dashboard.

When all nodes run with the new key pair, the Enhanced Encryption settings display the drop-down list, allowing the Org admin to change to the new key.

Adding new Nodes to the Snaplex

When you add nodes to a self-managed Snaplex, the new nodes must have the same encryption key as the others. If the new node does not have a matching key, it is ignored until the keys are synchronized and the JCC is restarted. All nodes' current configuration can be checked in Manager > Settings > Configure Encryption.

Special Use Case: Adding Linux Nodes to an Org Where Keys Were Generated on a Windows Node

The recommended procedure to enable Enhanced Encryption on Windows Groundplex instances is to generate the keys on a Linux machine and then copy them onto the Windows node. The advantage is that the generated keystore is encrypted, and the same keystore can be used on both Windows and Linux nodes.

For Windows installations with Enhanced Encryption where the key was not initially generated in Linux, additional steps are required to add new Linux-based nodes. This is because, in such cases, there would be a datakeys.jks file under the etc folder, with no .pass file. To prepare the keystore to be used on Linux machines:

  1.  Copy the keystore datakeys.jks from the Windows machine to the Linux machine and place it in /etc/snaplogic/jcc-datakeys.jks.

  2. Perform the following steps as the root user on the Linux node (change the JRE version as appropriate).

     

    # Perform the operations below as root user # Copy the datakeys.jks file from windows to the Linux machine, file should be placed at /etc/snaplogic/jcc-datakeys.jks export JRE_HOME=/opt/snaplogic/pkgs/jdk-11.0.8+10-jre cd /opt/snaplogic # Generate password file with a secure password. Change RANDOM_SECURE_PASSWORD to a secure password to use for the keystore export MYPASS=`openssl rand -base64 32` echo -n $MYPASS > /etc/snaplogic/jcc-datakeys.pass # Encrypt the keystore with the new password $JRE_HOME/bin/keytool -storepasswd -new $MYPASS -keystore /etc/snaplogic/jcc-datakeys.jks -storepass "" # Encrypt the key with the same password $JRE_HOME/bin/keytool -keypasswd -alias account-autogen -new $MYPASS -keystore /etc/snaplogic/jcc-datakeys.jks -storepass $MYPASS -keypass ""

     

The keystore is now in a format suitable for use on Linux machines. The jcc-datakeys.jks  and jcc-datakeys.pass files can be copied to other Linux-based nodes without repeating the steps in this section. We also recommend that you update the original Windows node to run with this encrypted keystore by setting the SL_KEY_DIR property as described in On Windows Operating Systems.