Encrypted Custom Attributes

[Lamak121]

Hi all,

I wanted to discuss a use case we encountered when using Czertainly to store customer certificates.

We often need to store the .pfx password associated with some of the certificates in our inventory. Currently, we use a custom attribute to achieve this, which is less than ideal. Czertainly allows us to hide attributes based on the user's group but that still doesn't encrypt the attribute in the database.

Is there an existing, more suitable method for handling this scenario? If not, adding a feature to encrypt a custom attribute would be beneficial, in my opinion.

Does this approach seem reasonable?

[lubomirw]

Hello,
is that issue related only to encryption of sensitive content of custom attribute in database? Or do you need some change in hiding content behavior not based on user's permissions?

[Lamak121]

From what I understand, you can already hide attributes from groups. Is that right? If that's the case, then yes. Just encryption in the database.

[3keyroman]

Hello @Lamak121 , you can control who has access to the custom attribute using roles and permissions. If the user does not have access, the custom attribute will not be visible and user can't see its value or do any change.

I think we can implement support for protection level like it is supported in the secret data attributes.

The protection level can be set to protect the custom attribute content, for example by encryption with the key stored in the keystore or HSM, and stored in the database. When the user that has access to such custom attribute will request its value, it will be decrypted and provided to the user (via API, or UI).

We currently support encryption of SCEP and CMP related secrets using SecretUtils, so it can be used for basic protection of the information for now. However, the implementation of the protection level for attributes is necessary.

[Lamak121]

Hi @3keyroman , the protection level you described is exactly what I imagined. Is that a planned feature then?

[3keyroman]

We will put it into the roadmap.