Data Encryption at Rest


I have a requirement to encrypt sensitive data stored as process variables. I can probably limit the scope to process variables stored as byte arrays. Symmetric key AES is likely sufficient.

Ideally Id use a trusted Key management service which would on request, generate a new data key and encrypted data key. Hence the data key can be used to encrypt and the encrypted key can be stored with the encrypted content. On read, the encrypted key can be decrypted by the key management service to return the data key for decrypting the data.

In looking at the persistence code, I could consider extending the ByteArray object to include the associated encrypted key, however, where would be the best place to centralise the encryption/decryption logic?

Id like to make the encryption/decryption as transparent as possible to the engine. I could use transparent database encryption however this is too coarse grained and does not prevent the DBA from gaining access to the data. Hence the desire for application layer data encryption.



Hi Rob,

You could try implementing a custom variable serializer. You can either replace the regular byte array serializer or add another serializer that uses a different value type. Relevant code to get started is the following:

  • ByteArrayValueSerializer and its #readValue and #writeValue methods
  • ProcessEngineConfigurationImpl#initSerialization where all the default serializers are registered. You may either need to override that method or write a process engine plugin that adds your custom serializer
  • ValueType: If you want to use the default byte array serializer and your custom serializer in parallel, it may be required to implement a custom ValueType (that you then have to use when setting variables) so that the process engine is able to determine which serializer to use


1 Like