openspp.orgG2P Encryption Keymanager
Contents
G2P Encryption Keymanager#
The G2P Encryption Keymanager module integrates OpenSPP with an external Key Management System (KMS) to provide robust cryptographic services. It enables secure encryption, decryption, digital signing, and verification of sensitive program data, ensuring data confidentiality and integrity without OpenSPP directly managing cryptographic keys.
Purpose#
This module establishes a secure bridge to external Key Management Systems, centralizing the management of cryptographic keys and operations. It significantly enhances OpenSPP's data security posture by:
Centralized Key Management: Connects OpenSPP to an external Key Management System (KMS) for secure, off-platform management of all cryptographic keys. This separation of concerns improves security by preventing direct key exposure within OpenSPP.
Data Encryption and Decryption: Provides the capability to encrypt and decrypt sensitive data, such as beneficiary records or financial transactions, ensuring confidentiality both at rest and in transit.
Digital Signing and Verification: Enables the creation and verification of digital signatures (specifically JSON Web Signatures - JWS) to confirm data authenticity and integrity, proving that data has not been tampered with.
Secure KMS Authentication: Manages the secure authentication process with the external KMS, including access token acquisition and refresh, to maintain continuous, authorized access to cryptographic services.
Configurable Integration: Offers flexible configuration options for connecting to various KMS solutions, allowing administrators to define API endpoints, authentication details, and application-specific parameters for different cryptographic operations.
This module is crucial for safeguarding sensitive information within OpenSPP, helping programs meet stringent data protection and privacy requirements.
Dependencies and Integration#
The G2P Encryption Keymanager module extends the foundational G2P Encryption module. It specifically implements the "Keymanager" type of encryption provider within the g2p.encryption.provider model.
This module relies on the G2P Encryption module to define the standard interfaces for cryptographic operations. By implementing these interfaces, the Keymanager module allows any other OpenSPP module that requires encryption or digital signing to leverage an external Key Management System seamlessly. Modules dealing with sensitive data can simply select "Keymanager" as their preferred encryption provider via the base g2p_encryption framework, inheriting its robust external key management capabilities.
Additional Functionality#
The G2P Encryption Keymanager module provides several key features to manage and utilize external cryptographic services effectively.
Data Encryption and Decryption Services#
This module enables OpenSPP to encrypt and decrypt sensitive data by securely interfacing with the configured Key Management System. When data needs protection, it is sent to the KMS for encryption, and similarly, encrypted data can be sent back for decryption. This process uses application-specific identifiers, such as "REGISTRATION" or "ENCRYPT", allowing the KMS to apply distinct key policies based on the data's context.
Digital Signature and Verification#
The module supports generating and verifying JSON Web Signatures (JWS), crucial for ensuring the integrity and authenticity of data. Users can sign various data types, including structured JSON objects or plain text, with options to include the original payload or associated certificate details in the signature. This functionality is vital for confirming that sensitive documents or messages originate from a trusted source and have not been altered.
Secure Key Manager Authentication#
The module handles the complex process of authenticating with the external Key Management System. It uses configured client IDs, client secrets, and grant types to acquire and refresh access tokens automatically. This ensures that OpenSPP maintains a secure and authorized connection to the KMS for all cryptographic operations, preventing unauthorized access to key management functions.
Configurable External KMS Connection#
Administrators can configure all necessary details for connecting OpenSPP to an external Key Management System. This includes specifying the KMS API base URL, authentication URL, and setting timeouts for API calls. Furthermore, the module allows for defining specific application and reference IDs for both encryption and signing operations, providing granular control over how different OpenSPP processes interact with the KMS and its key policies.
Conclusion#
The G2P Encryption Keymanager module is essential for OpenSPP, providing robust, external key-managed cryptographic services to secure sensitive program data and ensure data integrity.