Skip to content

Ent Encryption

Jump to bottom
Mike Perham edited this page Jul 15, 2016 · 26 revisions

Certain industries have strong regulation around the storage of personal data. Private medical data, financial data, social security numbers, credit card numbers, all of these things are sensitive. Sidekiq Enterprise v1.3.0+ supports transparent encryption of job arguments so job data at rest in Redis cannot be seen.

Enable Encryption

In your initializer, activate the feature:

Sidekiq::Enterprise::Crypto.enable(active_version: 1) do |version|
  # this block should return the key for the version N
  #
  # every time you need to rotate the crypto key, you should bump
  # the active_version so it returns the new key for the new version.
  #
  # You can store the key in a file, in an ENV variable or on a remote
  # keystore that is accessed upon startup.
end

You can create a new random key in irb like so:

require 'openssl'
File.open("/var/crypto/secret.1.key", "w") { |file| file.write(OpenSSL::Cipher.new("aes-256-cbc").random_key) }

Configure your Private Workers

Tell Sidekiq to keep a Worker's arguments private:

class PrivateWorker
  include Sidekiq::Worker
  sidekiq_options encrypt: true

  def perform(x, y, z)
  end
end

Now create a new job:

SecretWorker.perform_async(1, 2, 3)

Within Redis, the job data will look something like this:

{"class"=>"SecretWorker", "args"=> ["BAhTOhFTaWRla2lxOjpFbmMIOgdpdiIV88Nt6SIp_xce4kWyy0u3pDoGdmkGOglibG9iIhWRZol7rIEHTY6PC2JoabbI"], "retry"=>true, "queue"=>"default", "encrypt"=>true, "jid"=>"8cdb56b54a1407d8211ce4db", "created_at"=>1468556286.811311, "enqueued_at"=>1468556286.81137}

Notes

  • The encryption header adds about 100 bytes to the size of arguments plus 30% Base64 encoding overhead. Arguments which are 1000 bytes in plaintext are about 1400 bytes when encrypted. The Base64 encoding is necessary as JSON content must be valid UTF8 and the encrypted data is binary.
  • ONLY arguments are encrypted. Any error message and backtrace will still be plaintext within a job. Be careful not to expose any sensitive data when raising errors.
  • Job arguments are encrypted when displayed anywhere in the Web UI. Debugging errors will be more difficult.
  • The unique jobs feature will not work on encrypted jobs, since encrypted arguments are always unique. If a Worker has both encrypt and unique_for options, Sidekiq will raise an error.

Home | The Basics | Best Practices | Using Redis | Error Handling | Advanced Options | Problems?

Clone this wiki locally