In the example above, the name, email, phone, and ssn properties will be encrypted and decrypted automatically.
Querying encrypted properties
Querying on encrypted properties is handled automatically when identifying encrypted properties in a where clause without the need to decrypt the data first.
The encryption algorithm used by the Piiano Vault server is deterministic, meaning that the same value will always be encrypted to the same ciphertext in the database which makes querying possible.
Note
Using this approach, limits the ability to query on encrypted properties to the = and != operators.
Other operators such as >, <, >=, <=, LIKE, BETWEEN, etc. are not supported.
For example, the following query will work as expected on the encrypted email property:
The Piiano Vault server supports the use of transformations.
Transformations provide a mechanism to present sensitive data in a way that reduces data exposure.
For example, the email property in the example above could be masked using the mask transformation to return s********@example.com instead of the actual email address.
To use a transformation, append the transformation name to the column name in the select clause:
Vault transformation is performed on the Vault server and the result is returned to the client meaning the sensitive data never leaves the Vault server but only the transformed result.
Note
The withTransformations function is a wrapper that extends the type of the given entity class to allow selecting on the transformation properties.
It is not required to use the withTransformations function but it is recommended to allow proper type checking.
Development
To build and test the project:
yarn
yarn build
yarn test
License
This project is licensed under the MIT License - see the LICENSE file for details
Known Limitations
Encryption is supported only for string columns.
Querying using the array notation don't of the same property in a transformed and untransformed form will return only the transformed value.
Examples:
Using select: ['email', 'email.mask'] will result in only email.mask being returned.
While using select: {'email.mask': true, 'email': true} will result in both email and email.mask being returned.
Selecting using the array notation is deprecated by TypeORM and is not recommended.
About Piiano Vault
Piiano Vault is the secure home for sensitive personal data. It allows you to safely store sensitive personal data in your own cloud environment with automated compliance controls.
Vault is deployed within your own architecture, next to other DBs used by the applications, and should be used to store the most critical sensitive personal data, such as credit cards and bank account numbers, names, emails, national IDs (e.g. SSN), phone numbers, etc.
TypeORM plugin for data encryption using Piiano Vault
We found that @piiano/typeorm-encryption demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago.It has 3 open source maintainers collaborating on the project.
Last updated on 15 Apr 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
The Python Software Foundation has secured a 5-year sponsorship from Fastly that supports PSF's activities and events, most notably the security and reliability of the Python Package Index (PyPI).
LDAPjs, an LDAP Client and Server API for Node.js, was decommissioned after its maintainer received an abusive email from a user, raising concerns about this form of abuse as a potential attack vector.
CISA launched a new project called Vulnrichment to enrich CVEs with details that help prioritize patching and mitigation efforts, as the NVD backlog of unenriched CVEs awaiting analysis surpasses 10,000.