Skip to main content

Data encryption with customer-owned keys

This document outlines the process for encrypting sensitive data using your own keys.
We recommend using OpenSSL to generate the 2048-bit RSA key pair.

info

This feature is available to selected enterprise clients only.

RSA Key Pair Generation

  1. Generate a Key Pair:

    • Use the following command in your terminal to generate a RSA key pair:
    openssl genrsa -out private.pem 2048
    • Extract the public key from the private key:
    openssl rsa -in private.pem -pubout -out public.pem

  2. Test your key pair

    • Create a test file.txt:
    echo "test" > file.txt
    • Encrypt the file with your public key:
    openssl pkeyutl -encrypt -pubin -inkey public.pem -pkeyopt rsa_padding_mode:oaep -in file.txt -out file.enc
    • Decrypt the encrypted file with your private key:
    openssl pkeyutl -decrypt -inkey private.pem -in file.enc -out file.enc.txt  -pkeyopt rsa_padding_mode:oaep
    • Open file.enc.txt and verify that it shows only the word "test".

  3. Provide your Public Key to Blockpass:

    • If the decryption is successful, securely share the public.pem file with your Blockpass account manager or designated contact.
    • Note: Never share your private key, even with Blockpass.

Downloading Encrypted Profile

After a specified timeframe, records within the dashboard are automatically encrypted using a newly generated AES key.
This AES key is subsequently encrypted using the public key you provided to Blockpass.
The encrypted profile and the encrypted AES key are then stored within our secure cloud environment.
Finally, the profile is archived from the dashboard, effectively removing sensitive data from active view while maintaining its security and accessibility for authorized personnel.

info

Archiving a profile involves permanently removing all raw data associated with it while preserving essential information such as status, audit logs, and other critical metadata.

  1. Access the Profile Page: Click the record then navigate to Summary tab.
  2. Download the Encrypted File: Click the button EXPORT to download the encrypted data file. This file will have a .zip extension.

Decrypting the Encrypted Profile

1. Using our utility Script:

  • For simplicity sake, you can download this bash script that implement all required steps

    curl -sSOJ https://cdn.blockpass.org/utils/bp-decrypt.sh

    Save it in the folder that includes meta.json and profile.bin (downloaded from your dashboard).

  • Make the script executable:

    chmod +x bp-decrypt.sh

  • Run the script, providing the necessary arguments:

    ./bp-decrypt.sh -i ./profile.bin -m ./meta.json -o ./decrypted_profile.zip -k ./your_privatekey.pem

    Parameters description

    • -i: path to the downloaded encrypted file
    • -m: path to the downloaded meta.json file
    • -o: path and name of the decrypted zip (must include .zip extension)
    • -k: path to your RSA private key

  • Extract the file decrypted_profile.zip to get readable profile data

2. Using OpenSSL Commands:

Steps

  • Extract the downloaded zip
  • Open the file meta.json
  • Get your private key and verify that it corresponds to the public key used for encryption, using the pubKeyChecksum value
    • Note: If the private key is password protected, you will need to decrypt it first.
  • Decrypt the wrapped AES Key with your public key
  • Decrypt the profile data using the AES key

Commands

Decrypt the wrapped AESKey

  • Copy the value of wrappedKey from meta.json to a blank tmp.txt file

  • Convert the wrappedKey:

    openssl base64 -d -A -in tmp.txt -out tmp.bin

  • Use your private key to decrypt the converted wrappedKey:

    openssl rsautl -decrypt -inkey /path/to/yourprivatekey.pem -in tmp.bin -oaep

Decrypt the profile

  • Decrypt the profile using the decrypted AES key (output from the previous command) and the initialization vector (iv) from the meta.json file:

    openssl enc -d -aes-256-cbc -in profile.bin -out output.zip -K $decryptedKey -iv $iv

  • Unzip the file output.zip to get the profile data.

Security Recommendations

  • Storing private keys:
    • Store your private keys in a secure, encrypted location.
    • Regularly back up your private keys in a secure and offline manner.
    • It is your responsibility to secure the files.
  • Storage of decrypted profiles:
    • Protect decrypted data files with appropriate access controls and security measures.
    • Avoid storing decrypted data for longer than necessary.
  • Key rotation:
    • Regularly rotate your key pair to enhance security.
    • Generate a new key pair, update your public key with Blockpass.
    • Important: Backward compatibility for decryption is not supported. Records encrypted using previous public keys will necessitate the corresponding private keys for successful decryption.
danger

If the private key is lost, the encrypted data becomes permanently inaccessible, effectively resulting in data loss.

Troubleshooting

  • If you encounter any issues during decryption, double-check:
    • The correctness of the public key hash provided to Blockpass.
    • The accuracy of your private key file and password.
    • The permissions of the files and scripts involved.
  • If you continue to experience problems, contact Blockpass support for assistance.
note

Disclaimer: This documentation is for informational purposes only. Blockpass assumes no responsibility for any security breaches or data loss resulting from improper key management or the use of this feature.