Decrypt Data in a Response from the Server
Using Evervault’s Encryption as a Service allows you to keep sensitive data encrypted at all times: at rest, in transit and in use. However, it's important to note that many products need to display unencrypted, or plaintext, data in the browser for their end users. If we store encrypted data in a database, we need way to decrypt that data during a request, before it reaches the browser. We can use Evervault’s Inbound Relay Primitive to achieve this.
Inbound Relay is a proxy which can be configured to encrypt or decrypt data during a network request. In this case, we’ll be using Inbound Relay to decrypt data in a GET request sent from the client to the server.
Configure the API
In practice, an API endpoint would retrieve encrypted data from a database, before returning the response to the client. Since Inbound Relay sits between the client and the server, encrypted data in the response would be decrypted by the proxy.
Rather than setting up a local server and database, we’re going to use PutsReq to emulate the behaviour of an API endpoint. Selecting Create a PutsReq will provision a temporary endpoint that we can send requests to. We’re also going to configure the response of this endpoint to return encrypted data, mirroring the behaviour of a real endpoint that pulls encrypted data from a database.
Encrypt the Response
The easiest way to encrypt a sample response for our PutsReq endpoint is using the Evervault encrypt API. Using your App ID and API Key, both of which can be found in the Evervault Dashboard, you can call the encrypt API using cURL:
Running this cURL snippet with your App ID and API Key should return the following response:
Using this response, add the following snippet to the Response Builder in the PutsReq endpoint that you just created, and click Update. This will simulate an API endpoint that returns encrypted data that’s been retrieved from a database.
If you cURL your PutsReq endpoint using the following snippet, you’ll notice that it returns encrypted values for the email and password fields.
Next, we’re going to call the endpoint from the client, using Inbound Relay to proxy the request and decrypt the encrypted values.
Integrate the Proxy
First, we’ll need to create an Inbound Relay proxy in the Evervault Dashboard. Navigate to the Inbound Relay tab, and click Create Inbound Relay. Add putsreq.com as the destination for the Relay. You don’t need to include a path, as Relay will path-match any requests to their corresponding destinations.
When you create an Inbound Relay, Evervault provisions a Relay Domain that you can send requests to: https://<DOMAIN>.relay.evervault.com. You can find this domain in the dashboard for the Inbound Relay you just created. Any requests sent to this domain will be forwarded to your PutsReq endpoint.
Running the following cURL snippet will send a GET request to our PutsReq endpoint via Inbound Relay.
You’ll notice that the response now includes unencrypted, or plaintext, values for email and password:
In practice, you could send this request from your client, which will return the plaintext values so that you can render or use them in your product.
Summary
Using this architecture with Inbound Relay means that the sensitive values for email and password remain encrypted on the server, and are only decrypted during the response to the client.