Question

PropertyEncrypt access control policy and how to use it

In our application, we need to store sensitive data encrypted in the database.

For this reason we have decided to use the PropertyEncrypt access control option based on this article:
https://community.pega.com/knowledgebase/encryption-pega-platform
To quote it:
"Property-level encryption by using access control policies – If you configure Pega Platform to support attribute-based access control, you can encrypt any property type by listing it in a PropertyEncrypt access control policy. The property is encrypted in the database, clipboard, logs, and search indexes. If there is no PropertyRead policy that obfuscates the property, then the decrypted property value is visible to the user in a UI control. Properties specified in a PropertyEncrypt policy are encrypted unconditionally. Define PropertyRead policies to obfuscate or mask these values depending on who is viewing them. To get the cleartext value outside of UI controls (for example, in the background processing of cases), you need to call the appropriate decryption method. This feature is available beginning with Pega 7.4."
So I have created the site specific cipher using this guide: https://community.pega.com/knowledgebase/articles/creating-custom-cipher-pega-platform
I. How To Decrypt?
Encryption works for the properties listed in the propertyEncrypt.
Basic controls can show the properties Decrypted on the UI.
Only problem is: I have not found a way to decrypt values manually.
There are 2 functions that would serve this purpose:
None works for me, on Pega platform 8.2.
1. option: @decyptPropertyValue() But it only works for TextEncrypted properties. It searches for pyRuleAccessWhen and that is only available for Text Encrypted properties.
2. option: @DecryptPW() it does not work as you can see below. (the function is not decrypting the property when I run the activity with this step either.)

The command I used to create the Java class for the cipher class was:
.\runPega.bat --driver **** --prweb **** --propfile \**** com.pega.pegarules.exec.internal.util.crypto.PRCipherGenerator blowfish/cfb/pkcs5padding 128
Based on the guide.
And again, encrypting works (it is encrypted everywhere) and decryption works automatically on the UI.
So is there any other way to do it? "To get the cleartext value outside of UI controls (for example, in the background processing of cases), you need to call the appropriate decryption method."

II. What is the benefit in using this?
Compared to the TextEncrpted property type, I don't see any benefit. Only that you can just list string type properties in the PropertyEncrypt acces control policy and you dont have to change the property type itself, if you want to encrypt something.
But there is no way to automatically decrypt anything based on any kind of condition.
Manual decryption is not working (at least for me).
You can still only encrypt string values this way. Nothing else. No integer, date, decimal is allowed on the propertyEncrypt.

So if anyone has an idea on how to decrypt an encrypted property when using a custom cipher and encrypted properties via propertyEncrypt access control policy, I would highly appreciate it!

Thank you,
Adam

***Edited by Moderator: Lochan to update platform capability tags***

Comments

Keep up to date on this post and subscribe to comments

September 26, 2019 - 1:12pm

If you have implemented a custom site specific Cipher class, you should be able to call the "decrypt" public interface method on an instance of the same class. For example you can write a single java step activity to decrypt an encrypted input parameter.

my.custom.site.CipherClass myCipherClass = new my.custom.site.CipherClass();

byte[] decrypted = null;

try {

decrypted = myCipherClass.decrypt(tools.getParamValue("EncryptedTextParam"));

} catch (CryptographicException ie) {

ie.printStackTrace();

}

String decryptedString = new String(decryptedTest, "UTF-8");

return decryptedString;