a service that can function as a Data Privacy Vault, that’s the green bit in the high-level diagram below that conceptually shows where it would fit in some sort of production system.
Our service will provide a HTTP based API that can be used to send sensitive data to be stored in the vault, receiving back a token that can later be used to retrieve the sensitive data by an authorised user/service.
To understand why the Data Privacy Vault is preferable to just encrypting the data check out Wikipedia’s article on Tokenization.
In this step my goal is to create a simple tokenisation service that can create tokens and return their value, for the moment storing the data in memory is fine.
Once this is done I will have two endpoints:
Endpoint: /tokenize
Method: POST
Request payload:
{
"id": req-12345”,
"data": {
"field1": "value1",
"field2": "value2",
"fieldn": "valuen"
}
}
Success response: HTTP Code 201
Payload:
{
"id": req-12345”,
"data": {
"field1": "t6yh4f6",
"field2": "gh67ned",
"fieldn": "bnj7ytb"
}
}
Endpoint: /detokenize
Method: POST
Request payload:
{
"id": req-33445”,
"data": {
"field1": "t6yh4f6",
"field2": "gh67ned",
"field3": "invalid token"
}
}
Response:
"id": req-33445”,
"data": {
"field1": {
"found": true,
"value": "value1"
},
"field2": {
"found": true,
"value": "value2"
},
"fieldn": {
"found": false,
"value": ""
}
}
In this step my goal was to store the data in a persistent store. All data were stored encrypted. I used Redis for this. I used sha1
hashing algorithm to generate a unique token for sensitive data. for now sha1
is not secure enough to be used in production. but for my case it was enough.
Sensitive information are stored in Redis with the token as the key and the senstive data as the value. the sensitive data are encrypted using AES
algorithm.
This project is build using golang