-
Notifications
You must be signed in to change notification settings - Fork 2.5k
Ent Encryption
Mike Perham edited this page Jul 15, 2016
·
26 revisions
Certain industries have strong regulation around personal data. Private medical data, financial data, social security numbers, credit card numbers, all of these things are sensitive. Sidekiq Enterprise supports transparent encryption of job arguments so job data at rest in Redis cannot be seen.
In your initializer, activate the feature:
Sidekiq::Enterprise::Crypto.enable(active_version: 1) do |version|
# this block should return the key for the version N
# every time you need to rotate the master key, you should bump
# the active_version so it returns the new key for the new version.
# You can store the key in a file, in an ENV variable or on a remote
# keystore that is accessed upon startup.
endYou can can create a new random key in irb like so:
require 'openssl'
File.open("/var/crypto/secret.1.key", "w") { |file| file.write(OpenSSL::Cipher.new("aes-256-cbc").random_key) }Tell Sidekiq to keep a Worker's arguments private:
class SecretWorker
include Sidekiq::Worker
sidekiq_options encrypt: true
def perform(x, y, z)
end
end- The encryption header adds about 100 bytes to the size of arguments plus 30% Base64 encoding overhead. Arguments which are 1000 bytes in plaintext are about 1400 bytes when encrypted. The Base64 encoding is necessary as JSON content must be valid UTF8 and the encrypted data is binary.
- ONLY arguments are encrypted. Any error message and backtrace will still be plaintext within a job.
- The unique jobs feature will not work on encrypted jobs, since encrypted arguments are always unique. If a Worker has both
encryptandunique_foroptions, Sidekiq will raise an error.