Given an event is immutable.
Given we crypt sensitive information of an event.
Given the encrypting key has been compromised after saving the event.
How can we re crypt, (the real question here is how do we save back) the event(s)?
What collateral would it then create?
Any pitfall?
I appreciate any ideas on the topic.
Daniel
Hi Daniel,
To be honest, if the key used to encrypt PII (Personally Identifiable Information) in an event has been lost, there’s no way to retrieve the info anymore.
That’s what the cryptographic erasure gives us, in doing so complying with Europe’s GDPR rules.
This is also what the Axon Data Protection Module does for example.
The PII fields in an event are marked as sensitive data, and prior to serializing an event for transit and/or storage, the data is encrypted.
Losing the key would thus mean the information will be encrypted for ever, without a real way to retrieve this.
Granted, I am not entirely sure if I am answering your question to the fullest Daniel.
So if I am taking a wrong turn here with my response, please correct me with a subsequent response.
Regardless, I hope this helps out!
Cheers,
Steven
Thx!
Thank you Steven,
Indeed when the key is lost, the information cannot be recovered.
The question is about a key that become known to an undesired individual. We can still use that key to decrypt, and reencrypt using a new key.
How to change events already saved then?
Hi Daniel,
in that case, you will have to modify the events, indeed. While it’s a practice that you want to avoid, we do recognize that in certain situations you want to re-encrypt data.
Such situations include keys being compromised, need to re-generate keys with stronger cryptography (not expected, but you can never know for sure), and shifts in understanding what information is PII (especially around GDPR in Europe there are several opinions).
Depending on the type of database you use, this may or may not be easy. In a relational database, there is nothing stopping you from editing a row (which may also be problematic).
AxonServer is designed to be properly append-only. However, for the Enterprise edition, we do have tools on our roadmap that allow you to “rewrite” certain parts of an event stream. There is no API for this, as we believe this compromises the integrity of the stream as a reliable representation of history. We’re currently designing a way for this tool to be able to rewrite, while still maintaining “auditability”, for example by proving that the data of the events hasn’t been altered, merely the encryption/representation of it.
Hope that makes sense.
Kind regards,
Thank you Allard, this is exactly what I wanted to ascertain.