Actions
Vaulty may perform the following actions on elements:
Encrypt / Decrypt
Currently, Vaulty supports built-in encryption with AES GCM and 256-bit key. To use encryption you have to configure Encryption Backend first. Here we provide an example of using build-in AES GCM encryption with user provided encryption key.
Generate encryption key:
outputs:
Provide the Encryption Key to the Vaulty proxy via environment variable:
The encrypted value is hex-encoded string. The original and encoded values differ in length.
If Encryption Key is not provided, then Base64 encoding will be used. This is not secure and is acceptable only for demo/development purposes.
This is how you can encrypt user.password
element:
For this request:
You can see the result of transformation (and encryption):
decrypt
action will decrypt the element specified by expression
.
Mask
Using mask action you can replace value with placeholder (*
by default). In "symbol" attribute you can set custom placeholder value:
Here are some examples of how you can mask values.
Mask the whole value of json path element:
Result of transformation:
Mask data with regexp transformation:
For this request:
The result of the transformation is:
Tokenize / Detokenize
In Vaulty tokenization action does two things. First, it encrypts the value of transformation. Second, it stores the encrypted value in a secure storage and tags it with a generated token (think ID in a database).
The generated token is a random set of characters prefixed with tok
, e.g.: tokbr2euteg10l4dq9k8u4g10l4
.
Action params
- format - optional, currently only "email" format is supported. Setting format to "email" will generate tokens with valid email format like this: tokbrf43qck6cghs4f95kkg@tokenized.local.
Here is the transformation with tokenize action:
For this request:
The result of transformation:
Action detokenize
performs the opposite. First, it looks encrypted value in storage by the provided token. Second, it decrypts the value.
Hash
Using hash action you can replace value desired value with its SHA256 checksum:
Additionally, you can configure a Salt Value for the hash function.