Hub System Encryption Wallet

HVR Hub System encryption wallet (simply called as 'wallet' in this article) is an advanced method for secure password encryption and storage. When you enable the wallet, classified data in the Fivetran HVR system are encrypted using a modern AES256 encryption scheme and then stored in the repository database. The key used for encryption is stored in the wallet. The wallet can be a software wallet or a KMS wallet. For more information, see Wallet Types.

Benefits of using the wallet:

• Without the encryption key, a user (authorized or unauthorized) cannot decrypt the passwords even if they have access to the repository database.
• HVR sends these encrypted passwords over the network to other HVR processes. If the connection is intercepted and the messages are accessed, it will not be possible to decrypt sensitive information (like passwords) without the encryption key.

If the wallet is not configured and enabled, a less secure method is implemented. All user passwords in HVR are obfuscated (using a password obfuscation method) and stored in the repository database. If either of the following happens, unauthorized access to the repository or the network connection is intercepted and the messages are read, the obfuscated passwords may be obtained and de-obfuscated.

Encryption wallet supports encryption of Secret and Confidential data only. When Software or KMS wallet is used, by default, only the Secret data is encrypted. To enable encryption of the Confidential data, use the command hvrhubconfig:

hvrhubconfig hub Encrypt_Transaction_Files=true

Wallet Properties

The encryption wallet is configured using the wallet properties. The wallet properties that can be saved/configured differ based on the wallet type. For more information about the wallet properties, see Wallet Properties.

How It Works

Whenever a HVR process running on the HVR Hub (called hub process in this article) needs the encryption key (to encrypt/decrypt data), it looks into the wallet configuration to determine the wallet type and other required information related to the wallet. The hub process then opens the wallet by supplying the wallet password and fetches the decrypted encryption key into this hub process's memory. A decrypted encryption key is never stored on the disk.

Methods for Supplying Wallet Password

The wallet password must always be supplied for opening the wallet. Currently, only the following method is supported for supplying the wallet password:

• Auto-Open Password: In this method, intervention from the user is not required; instead the wallet password is supplied by automatically fetching it from the wallet configuration. The wallet password is stored obfuscated in a wallet credential file in HVR_CONFIG/wallet directory. This method is good for a situation where user intervention is not desirable after a system restart, however, it is less secure to have the wallet password stored in the wallet credential file.
  To enable or disable this method, use the wallet property Auto_Open.

  If this method is used together with the software wallet, the backup of the wallet credential file and the repository database should be taken at the same time. It is recommended to save/store the backups in separate locations to prevent the security threat involved in case one backup is compromised.

Wallet Types

HVR supports the following types of wallets:

1. Software wallet: In this wallet type, the wallet is an encrypted (using PKCS #12 standard) and password-protected file (stored in the wallet property Encryption_Key_PKCS12) that stores the encryption key. The password for the software wallet (file) should be supplied by the user while creating the software wallet or will be auto-generated by HVR if not supplied during wallet creation.

   When the command to create the software wallet is executed, HVR creates a wallet configuration inside the repository. It also generates an encryption key inside the software wallet file (Encryption_Key_PKCS12).

   Whenever the hub process needs the encryption key (to encrypt/decrypt data), it opens the software wallet by supplying the wallet password and fetches the decrypted encryption key from the software wallet file (.p12) and then stores it in the hub process's memory. Note that the encryption key is decrypted only after the wallet password is supplied.

   Whenever the encryption key is rotated or the software wallet password is changed, the encryption key is actually migrated to a new software wallet.

2. KMS wallet: In this wallet type, the wallet is a network service (AWS KMS) that encrypts the encryption key. The encrypted key is stored in the wallet configuration. The KMS wallet is protected either by the AWS KMS credentials or the AWS IAM role, which should be supplied by the user while creating the KMS wallet.

   When the command to create the KMS wallet is executed, HVR contacts KMS using the credentials supplied/configured. The KMS then generates the encryption key, encrypts it, and then sends it to HVR. HVR will save the encryption key in the wallet configuration. Depending on the authentication method chosen for the KMS wallet, the KMS Access Key Id or KMS IAM Role should be supplied with the KMS wallet create command, this will be saved in the wallet configuration.

   • If the authentication method is KMS Access Key Id, the wallet password is the secret access key of the AWS IAM user used for connecting HVR to KMS.

   • If the authentication method is KMS IAM Role, there is no separate wallet password since the authentication is done based on the AWS IAM Role. This authentication mode is used when connecting HVR to AWS S3 by using AWS Identity and Access Management (IAM) Role. This option can be used only if the HVR Hub is running inside the AWS network on an EC2 instance and the AWS IAM role specified here should be attached to this EC2 instance. When a role is used, HVR obtains a temporary Access Keys Pair from the EC2 machine. For more information about IAM Roles, refer to IAM Roles in AWS documentation.

   Whenever the hub process needs the encryption key (to encrypt/decrypt data), it fetches the encrypted key from the wallet configuration and sends it to AWS KMS. The KMS then decrypts the encryption key and sends it back to HVR, which is then stored in the hub process's memory.

   For the KMS wallet which is based on the KMS Access Key Id authentication, the wallet password is changed whenever the KMS credential (secret access key of the IAM user) is updated.

Encryption Key Rotation

The encryption key should periodically be rotated to meet the cryptographic best practices and industry standards. Rotating the encryption key is when you retire the existing key and replace it with a newly generated key. Encryption key rotation helps to keep data leaks bounded in case the encryption key is stolen/compromised.

When the command to rotate the encryption key is executed, the following process takes place:

1. Generate a new encryption key.

2. Decrypt repository table data with the old encryption key.

3. Encrypt repository table data with the new encryption key.

The encryption key rotation does not re-encrypt data outside of the HVR repository tables, such as Job scripts, and transaction files. For services that store the key, the script or service must be recreated.

After the encryption key rotation, the old encryption key is deactivated, encrypted with the newest key, and retained. It is retained to decrypt the data that was encrypted using the old encryption key. During the rotation and a short time afterwards, the old encryption key still needs to be available for HVR. After the rotation, it might be needed for non-repository items such as job scripts, and transaction files that were created using the old key.

The encryption key has a unique sequence number to maintain the history or keep track of all versions of the encryption key.

History

• The old encryption keys are stored in the wallet configuration, which is protected by the new encryption key. HVR keeps the history of the encryption keys in the wallet configuration in a JSON format.
• The old/history encryption keys retained in wallet configuration can be purged/deleted (hvrwalletconfig option -S or -T) to avoid compromise/leakage of these keys.

For encryption key rotation, see hvrwalletconfig option -r.

Wallet Migration

Moving the encryption key from one wallet to another is called wallet migration.

Following are the two modes of wallet migration:

• Wallet migration with the same encryption key
  In this mode, during the wallet migration, the encryption key does not change; instead only the wallet storage is changed. The encrypted wallet storage is first decrypted and the encryption key is moved to the new wallet that is encrypted. During wallet migration, both the old wallet and new wallet must be available simultaneously while the encryption key is decrypted. After the wallet migration completes, the old wallet is discarded.

• Wallet migration with a new encryption key
  In this mode, during the wallet migration, the encryption key is replaced (rotated) with a new encryption key, and the wallet storage is changed. The encrypted wallet storage is first decrypted and the encryption key is rotated and then it is moved to the new wallet that is encrypted. During wallet migration, both the old wallet and new wallet must be available simultaneously while the encryption key is decrypted. After the wallet migration completes, the old wallet is discarded.

For wallet migration, see hvrwalletconfig option -m.

Migration Scenarios

The following scenarios/conditions lead to the migration of the wallet.

In the software wallet, migration happens if a user:

Switches to another wallet type.

Changes the wallet password.

• When the command to change the software wallet password is executed, HVR creates a new wallet file (.p12) with a new password and then moves the encryption key from the existing wallet file to the new file.

Rotates the encryption key.

• When the encryption key is rotated, the existing encryption key stored in the software wallet file (.p12) is retired and it is replaced with a newly generated encryption key in a new software wallet file.

In the KMS wallet, migration happens if a user:

• Switches to another wallet type.

• Changes KMS credentials and uses hvrwalletconfig with option -m.

  • If option -m is not used, the KMS credential change is considered as a configuration update. The updated configuration is saved in the wallet configuration file.

• Changes KMS Customer Master Key (CMK) ID and uses hvrwalletconfig with option -m.

  • If option -m is not used, the KMS CMK ID change is considered as a configuration update. The updated configuration is saved in the wallet configuration file.

During the KMS wallet migration, the old KMS account will be accessed by HVR for decryption.

See Also

• hvrwalletconfig
• Wallet Properties
• Troubleshooting Hub Encryption Wallet