I would like to intercept the call to start a process instance and encrypt the data based on the process definition. I’m using the REST API and therefore would like to avoid creating a custom endpoint for starting a process instance. I’ve looked at creating a Jersey interceptor but that means noodling around with the input stream which works but breaks when I try to reset the stream with the encrypted data. Next I looked at Command interceptor but that doesn’t give me access to the data to manipulate it. Next variable listener but not sure if that’s plugged in. The process instance has to be started with the encrypted data.
Would it be acceptable to use a transient variable in process instance start, and the use a listener in your start event to encrypt the data and save the encrypted version as a database backed process variable?
As @StephenOTT suggests, a process variable will remain in ephemeral memory until flushed to the DB. You can use a transient variable or delete the process variable prior to a flush to prevent the variable hitting the database.
Ive done something similar in the past and I found a very easy solution was to use a java SealedObject and an AWS KMS service. The Sealed object can be persisted as a seralized process variable with an embedded encrypted data key. The data key must be decrypted by the KMS in order to decrypt the sealed object - So you get a data key per object, the ability to rotate the master key in the KMS, master key version management is taken care of. Its a very secure, elegant solution. For your process tasks, just add a task listener to decrypt the object into ephemeral memory as required,