Solved: Encryption at rest with logging server

mohdilyas · 12-01-2020 01:51 AM

I have an ELK setup where I store my API logs when requests and responses pass through the Apigee. Sometimes, the request body contains some sensitive data which also gets stored in the log server which is not a good thing.

I wanted to know if I can encrypt data in Apigee and then send the encrypted version into my log server. I thought of doing masking but that is only used to hide data in the trace.

Please suggest something....

strebel

Depending on your use case either encrypting or just plain hashing are suitable approaches to prevent sensitive values in your log server. If you know the variable names your could use a simple JavaScript policy to replace the plain text values with the encrypted/hashed value. This would have to be done before the logging policy and ideally in the form of a flow hook if you want to enforce this behavior for all proxies.

For the sharedflow you can check out this reference in the Apigee devrel repo https://github.com/apigee/devrel/tree/main/references/common-shared-flows/logging-v1.

View solution in original post

strebel

Depending on your use case either encrypting or just plain hashing are suitable approaches to prevent sensitive values in your log server. If you know the variable names your could use a simple JavaScript policy to replace the plain text values with the encrypted/hashed value. This would have to be done before the logging policy and ideally in the form of a flow hook if you want to enforce this behavior for all proxies.

For the sharedflow you can check out this reference in the Apigee devrel repo https://github.com/apigee/devrel/tree/main/references/common-shared-flows/logging-v1.

mohdilyas

Thanks for your response...

I have a similar setup for logging. I will try to use the CryptJS to generate an encrypted strings and make those part of my payload to the logging server.