Encryption
Learn how to encrypt your job arguments
Introduction
Some applications have strong regulations around the storage of personal information. For example financial details or personal information.
Encrypting job arguments is supported out-of-the-box. It uses AES with Galois/Counter Mode (AES-GCM) for performing symmetric encryption.
Implementation Details
Encrypted arguments are only decrypted when the job is being executed
Errors and stack traces are not encrypted so be careful with any errors you may throw during the execution of a job
Arguments are encrypted at rest as well as in Doddle Web, you will not be able to view encrypted job arguments in the web dashboard
Argument names must be unique - duplicates are not allowed
Only string arguments supports encryption at the moment, however, this may change in the future
Generating keys
Doddle requires the keys to be at least 32 characters in length. You can generate one using the openssl command like this:
openssl rand -base64 32
Key rotation
It's a good idea to rotate your encryption keys often - old keys should be retired often and replaced with a new key.
During the configuration of the encryption module, multiple keys can be defined (please see the section below about the configuration). Only one of the keys can be set as the current key. This key will be used for all new enqueued jobs.
It is important to keep older keys stored until you are certain that there are no jobs inside doddle that use a retired key.
Activating Encryption
By default encryption is disabled until you explicitly enable it. If you try to enqueue a job that requires an encrypted argument then Doddle will throw an exception.
During the client configuration bootstrapping stage, enable the encryption like follows:
The keys should be not be hard coded (for obvious reasons). We strongly recommend fetching the keys from environment variables or using an MFA. Example of using an environment variable:
Last updated