Reading encrypted artifacts
Artifacts may be stored encrypted in the process archive. Such objects carry an is_encrypted=true entry
in their S3 user metadata. To read them, the ProcessArchiveReader must be created with a
DecryptingStorageObjectRepository, which decrypts the payload client-side via jEAP Crypto before Avro
deserialization.
Prerequisites
- A
software.amazon.awssdk.services.s3.S3Clientfor the archive bucket. - A
ch.admin.bit.jeap.crypto.api.KeyReferenceCryptoServicefrom jEAP Crypto. See the jeap-crypto documentation on how to configure and inject aKeyReferenceCryptoServiceinstance. The library declaresjeap-crypto-coreas aprovideddependency, so the consuming service must bring jEAP Crypto on its classpath.
Wiring the decrypting reader
The auto-configured ProcessArchiveReader bean uses a plain S3StorageObjectRepository and does not
decrypt. To read encrypted artifacts, construct your own reader with a DecryptingStorageObjectRepository:
KeyReferenceCryptoService cryptoService = ...; // injected from jEAP Crypto
ProcessArchiveReader reader = new ProcessArchiveReader(
new DecryptingStorageObjectRepository(s3Client, cryptoService));
MyArchiveType myObject = reader.readArtifact(MyArchiveType.class, bucket, key);
How decryption is applied
DecryptingStorageObjectRepository extends S3StorageObjectRepository. After fetching the object it
inspects the S3 metadata: when is_encrypted is true it replaces the payload with
cryptoService.decrypt(data); otherwise it returns the object unchanged. This means the same decrypting
reader transparently handles both encrypted and unencrypted objects in a bucket. The writer schema object
is read as-is and is not decrypted.