Identity Panel supports adding encrypted values to settings and for use in workflows and schedule steps.
Enciphered values are protected when they're added to inputs, then deciphered at runtime by Panel Service.
Encryption
Enciphering a value requires the Password Storage license sku and the "Write|JsonSettings" API permission, which is normally applied to Admin and Writer roles.
To create an enciphered value the value to be encrypted sent to /api/settings/action/encipher.
Request Format
{
Value: "plaintext"
}
Response Format
{
Value: "ec:ciphertext"
}
The ciphertext of the response is prefixed with ec: indicating it is an encrypted value. The input string is converted to a byte array using UTF8 encoding, then encrypted with the AES256 key and IV that is stored with the Tenant record (the key is in turn protected with the .NET data protection API).
The resulting encrypted byte array is serialized to a base 64 string for the return value.
Decryption
To decrypt an enciphered value use /api/settings/action/decipher.
Calls to this endpoint may ONLY be made by an auth context with the Writer role. Additionally, when using SaaS, values may only be deciphered when the client is authenticated with SCRAM-SHA, further limiting calls to Panel Service or similar contexts.
The decipher endpoint uses the same request and response formats, with the ciphertext and plaintext being transposed.
Comments
0 comments
Please sign in to leave a comment.