Share Encrypted Data with a Third-Party API

Using Encryption as a Service allows you to keep sensitive data encrypted at all times: at rest, in transit and in use. Although this is a powerful security enhancement, third-party APIs need data in plaintext. We need a way to decrypt that data after it leaves our infrastructure, and before it reaches a third-party endpoint. We can achieve this using the Relay Primitive.

Relay is a network proxy that can be configured to decrypt data during a request. If we proxy our request to a third-party endpoint through Relay, we can configure it so that any encrypted data in the payload will be decrypted, allowing the request to be processed as normal.

process

Create a Relay

We’ll use PutsReq to simulate a third-party API. In practice, this could be an endpoint from any third-party service. We can create a PutsReq by navigating to putsreq.com/, where we will be given a temporary endpoint that we can send requests to. To create a Relay for your PutsReq endpoint, navigate to the Relays tab in the Evervault Dashboard and click Create Relay. Add the PutsReq endpoint to the destination field.

A screenshot of the Evervault Dashboard showing a Relay being created with a RequestBin endpoint as its destination

Configure a Relay Decrypt Action

Once your Relay has been created, click Add Route to configure an Action. The action we are going to create will decrypt the json field accountNumber when the URL path matches our PutsReq path.

A screenshot of the Evervault Dashboard showing a Relay being configured to decrypt requests sent to putsreq

Enable Relay Authentication

When decrypting data with Relay its important to enabled Relay Authentication. This will authorize requests from your API to Relay with an Evervault API Key. A Relay that does not have Authentication enabled could allow an unauthenticated applications decrypt data through your Relay.

A screenshot of Relay Authentication toggled to true

Create an API Key

Once Relay Authentication is enabled an API Key will be required to decrypt data. Create an API Key by navigating to your App Settings, clicking on Create Key. For a successful decryption with Relay the API Key must have the Proxy permission selected.

A screenshot of an API Key configured to use Relay

Integrate the Proxy

Begin by copying the Relay URL from within the Relay Settings section of the Dashboard A screenshot of a Relay configured for decryption

This example will encrypt data with the encrypt method of the Evervault SDK and send data through a Relay with the net/http HTTP client. If you check the PutsReq logs you will notice the accountNumber field of the JSON payload has been decrypted.

Summary

Using Relay means you can still interact with any third-party API that requires sensitive data in plaintext, while keeping it encrypted at all times within your application.