Encryption

Owned by Seth Petry-Johnson
Last updated: Oct 10, 2024
2 min read

LearningBuilder has a FIPS-compliant encryption system that is used to secure both sensitive data as well as sensitive configuration.

Sys Admin users can also view: https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/3475963914

Overview

LearningBuilder has a FIPS-compliant encryption system that can be used to encrypt sensitive data “at rest”.

This encryption can be applied to:

  • “Identity” attributes such as SSN and Driver’s License (these require the use of encryption)

  • Extrinsic Workflow Attributes

  • Uploaded files

  • Client Certificates

Technical details

Sensitive data are encrypted with AES using 128-bit block size, Cipher Block Chaining, and PKCS7 padding.

Encryption keys are securely stored in a secrets vault separate from the LearningBuilder application and database.

Member Identity attributes

Certain intrinsic Attributes are used specifically for identity-related purposes. These Attributes must be encrypted and can only be enabled when the Encryption system is enabled.

For more information, see https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/262569985

Encrypting extrinsic Workflow Attributes

Custom Workflow Attributes can be encrypted as well, by enabling the data security option when creating the Attribute:

Encrypting an Extrinsic Attribute

The whole point of encrypting the data at rest is to make it unreadable at the database level, which has some usability consequences.

Encrypted extrinsic Attributes:

  1. Cannot be exposed through systems such as OData that pull directly from the database

  2. Cannot be searched against

Encrypted file uploads

Uploaded files are placed into a File Libraries. File Libraries can be configured to be encrypted.

File Library list

When a user accesses a file in an encrypted library, they are warned that the file contents are sensitive and that access is logged.