Skip to main content

Encryption and Masking

Configuration and architecture

The encryption and masking module of Terminus is written in Go.

The codebase is organized in a way so it can be used in Terminus' services:

  • Proxy Service: uses the encryption module for encryption/decryption and masking on the business objects
  • Vault Service uses the encryption module for logical encryption/decryption of the vault payloads

Encryption Types

⚠️ Terminus is in Beta release: Encryption types and their configuration, along with multi-tenant support will be extended.

These are the currently supported and future encryption types:

Supported

  • AES_256 - default
  • B64 (obfuscation)
  • No encryption (clear)

Not yet Supported

  • RSA_2048
  • Blowfish_448
  • TwoFish_256
  • FPE

Default Configuration

The environment variables:

Define the keys for AES-256 encryption for the vault and the proxy service.

Masking Types

⚠️ Terminus is in Beta release: Masking types and their configuration, along with multitenant support and role based mapping will be supported in the near future.

These are the currently supported and future masking types:

Supported

  • Redact
  • Clear
  • Generic

Not yet Supported

  • Password
  • Name
  • Address
  • Email
  • Mobile
  • Telephone
  • ID
  • CreditCard
  • Struct
  • URL

Business Objects UI definition for encryption/decryption/masking types

See Data Modeling, Encryption and Masking UI

model.cue

Sample of UI generated business encryption configuration file.

It is written in CUELang


// <!--BOXYHQ_FILEHeaderline_-->
// AUTOGENERATED - DO NOT EDIT
package terminus
import (
 crypto "github.com/boxyhq/terminus/internal/cryptor/model"
 masking "github.com/boxyhq/terminus/internal/cryptor/model"
 defs "github.com/boxyhq/terminus/utils:definitions"
)

// DO NOT EDIT! PREVENTING the imports for MASK/CRYPTO/DEFS to blow up instance build if not used
d_: defs.#Letters
m_: masking.#MClear
c_: crypto.#EnNoEncryption

// The model

    EncryptedDefinitions: ["Passport"]

#Passport: {
        #Definition: {
   Code: defs.#Letters
   ID: defs.#Alphanumerical
   Name: defs.#AlphanumericalWithSpaces
   Surname: defs.#AlphanumericalWithSpaces
   PlaceOfBirth: string
   DateOfBirth: defs.#SimpleDateFormat
   IssuedBy: defs.#AlphanumericalWithSpaces
   Issued: defs.#SimpleDateFormat
   Expires: defs.#SimpleDateFormat
        }
        #Encryption: {
   Code: crypto.#EnAES_256
   ID: crypto.#EnAES_256
   Name: crypto.#EnAES_256
   Surname: crypto.#EnAES_256
   PlaceOfBirth: crypto.#EnAES_256
   DateOfBirth: crypto.#EnNoEncryption
   IssuedBy: crypto.#EnNoEncryption
   Issued: crypto.#EnNoEncryption
   Expires: crypto.#EnNoEncryption
        }
        #Mask_admin: {
   Code: masking.#MClear
   ID: masking.#MClear
   Name: masking.#MRedact
   Surname: masking.#MGeneric
   PlaceOfBirth: masking.#MClear
   DateOfBirth: masking.#MClear
   IssuedBy: masking.#MClear
   Issued: masking.#MClear
   Expires: masking.#MClear
        }
      }