User Data Encryption Promotion

Promotion of Encryption Service

Steps

• Choose values for the following fields:

- master-password: choose any string of any length (can contain alphanumerics and special characters)

- master-salt: choose any string of length 8 (can contain alphanumerics and special characters)

- master-initialvector: choose any string of length 12 (can contain alphanumerics and special characters)

- Ask devops to generate keys for above selected values,

- In environment secrets.yml file, add “egov-enc-service” subsection under 'secrets' section, and provide values for above three fields. For example: For dev environment https://github.com/egovernments/eGov-infraOps/blob/master/helm/environments/dev-secrets.yaml#L29 (Ask Devops to do it)

• Add field “state-level-tenant-id“ under “egov-enc-service:” section for state level tenantId in environment yml. Example: https://github.com/egovernments/eGov-infraOps/blob/master/helm/environments/qa.yaml#L525

• Promote egov-enc-service:4-master-f47bff2

• Make sure “egov-enc-service“ entry is present in “egov-service-host” in environment yml ,ex:- for dev https://github.com/egovernments/eGov-infraOps/blob/master/helm/environments/dev.yaml#L65 . If not, make changes and build and deploy zuul from master branch.

Data Migration

Steps

• Provide DB details in following environment variables

- DB_PASSWORD

- DB_HOST

- DB_PORT

- DB_USERNAME

- DB_NAME'

• Backup old tables

- Create table eg_user_backup_plaintext as (select * from eg_user)

- Create table eg_user_address_backup_plaintext as (select * from eg_user_address)

• Delete foreign key referenced on ‘eg_user’ from ‘eg_userrole_v1’ temporarily until the data is transformed

- ALTER TABLE eg_userrole_v1 DROP CONSTRAINT fk_user_role_v1

• Deploy user service build with encryption to run flyway migration (egov-user:11-user_changes_MT-800f319)

• Clean tables of all plain text data

- Delete from eg_user_address

- Delete from eg_user

• Run migration

- Script python package dependencies

- import psycopg2

- import sys

- import json

- import requests

- import configparser

- import logging

- import os

Commands to run for migration:

- python3 user_migration.py config_user_encryption.txt

- python3 user_migration.py config_address_encryption.tx

• Restore earlier deleted foreign key constraint

- ALTER TABLE eg_userrole_v1 ADD CONSTRAINT fk_user_role_v1 FOREIGN KEY (user_id, user_tenantid) REFERENCES eg_user(id, tenantid) MATCH SIMPLE ON UPDATE NO ACTION ON DELETE NO ACTION

Service Builds

• User service: egov-user:11-user_changes_MT-800f319

- Set environment variable “DECRYPTION_ABAC_ENABLED” to false

• User service copy for chatbot: egov-user-chatbot:4-user_changes_MT-621fe60

Note: Promote only if Whatsapp chatbot is already running in the system. It uses another copy of user service named “egov-user-chatbot“. Not needed if Whatsapp- chatbot is not in the system.

• Report service: report:22-report-encryption-changes-e92c8ae

• enc-service: egov-enc-service:4-master-f47bff2

• MDMS: Copy the MDMS folder - https://github.com/egovernments/egov-mdms-data/tree/master/data/pb/DataSecurity