Encryption
- Seth Petry-Johnson
- Scott Reed
LearningBuilder has a FIPS-compliant encryption system that is used to secure both sensitive data as well as sensitive configuration.
Sys Admin users can also view: https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/3475963914
Overview
LearningBuilder has a FIPS-compliant encryption system that can be used to encrypt sensitive data “at rest”.
This encryption can be applied to:
“Identity” attributes such as SSN and Driver’s License (these require the use of encryption)
Extrinsic Workflow Attributes
Uploaded files
Client Certificates
Technical details
Sensitive data are encrypted with AES using 128-bit block size, Cipher Block Chaining, and PKCS7 padding.
Encryption keys are securely stored in a secrets vault separate from the LearningBuilder application and database.
Member Identity attributes
Certain intrinsic Attributes are used specifically for identity-related purposes. These Attributes must be encrypted and can only be enabled when the Encryption system is enabled.
For more information, see https://heuristicsolutions.atlassian.net/wiki/spaces/DOCS/pages/262569985
Encrypting extrinsic Workflow Attributes
Custom Workflow Attributes can be encrypted as well, by enabling the data security option when creating the Attribute:
The whole point of encrypting the data at rest is to make it unreadable at the database level, which has some usability consequences.
Encrypted extrinsic Attributes:
Cannot be exposed through systems such as OData that pull directly from the database
Cannot be searched against
Encrypted file uploads
Uploaded files are placed into a File Libraries. File Libraries can be configured to be encrypted.
When a user accesses a file in an encrypted library, they are warned that the file contents are sensitive and that access is logged.