LogoLogo
PlatformUse CasesCommunityBlog
1.2
1.2
  • 🏠Home
  • 🍩PLATFORM
    • Architecture
    • Modules
      • Program & Beneficiary Management System
        • Program Management
        • Program Disbursement Cycles
        • Beneficiary Management
        • ID Verification
        • Beneficiary Registry
        • Eligibility
          • Proxy Means Test
        • Deduplication
        • Enrolment
        • Entitlement
        • Disbursement
          • In-kind Transfer
          • Digital Cash Transfer
          • Voucher
        • Self Service Portal
        • Document Management
        • Multi-tenancy
        • Notifications
        • Accounting
        • Administration
          • Multi-tenancy
          • RBAC
          • i18n
      • Social Registry
      • Registration Tool Kit
        • ODK Collection App
      • SPAR
      • G2P Cash Transfer Bridge
        • File-based Payment Backend
      • 4Sure Verifier
    • Monitoring and Reporting
    • Logging
    • Privacy and Security
      • Key Manager
      • Key Manager Architecture
    • Interoperability
    • Integrations
      • OpenG2P eSignet Integration
      • OpenG2P M-Pesa Integration
      • OpenG2P Mojaloop Integration
    • Technology Stack
    • Reference
      • ↔️API
    • Releases
      • 1.1.0
        • Release Notes
    • License
      • OpenG2P Support Policy
    • FAQ
  • ⛎USE CASES
    • Use Cases
      • Immediate Assistance On Demand
      • Registration using Self Service Portal
      • Registration in Low Connectivity Areas
      • Service Provider Reimbursement
  • 🗄️DEPLOYMENT
    • Deployment Architecture
    • Infrastructure Setup
      • Hardware Requirements
      • Wireguard Server Setup
      • Rancher Setup
      • NFS Server Setup
      • OpenG2P K8s Cluster Setup
      • Loadbalancer Setup
    • External Components Setup
      • PostgreSQL Server Deployment
      • Keycloak Deployment
      • Minio Deployment
      • ODK Central Deployment
      • Kafka Deployment
      • Logging & OpenSearch Deployment
      • Keymanager Deployment
      • eSignet Deployment
    • OpenG2P Modules Deployment
      • PBMS Deployment
        • Post Install Configuration
      • Social Registry Deployment
      • GCTB Deployment
      • SPAR Deployment
        • SPAR Post Installation Configuration
      • Reporting Deployment
    • Deployment Guides
      • Giving Access to Users
      • Packaging OpenG2P Docker
      • SSL Certificates using Letsencrypt
      • Install WireGuard Client on Desktop/Laptop
      • Install WireGuard Client on Android Device
      • Make Environment Publicly Accessible using AWS LB Configuration
  • 👨‍💻DEVELOPER ZONE
    • Getting Started
      • Installing OpenG2P On Linux
    • Repositories
      • openg2p-mts
        • MTS Connector
        • OpenG2P Registry MTS Connector
      • openg2p-documents
      • openg2p-formio
        • G2P Formio
      • openg2p-registry
        • G2P Registry: Rest API Extension Demo
        • G2P Registry: Additional Info REST API
        • G2P Registry: Bank Details Rest API
        • G2P Registry: Additional Info
        • G2P Registry:Bank Details
        • G2P Registry:Membership
        • G2P Registry: Group
        • G2P Registry: Individual
        • G2P Registry: Base
        • G2P Registry: Rest API
      • openg2p-program
        • OpenG2P Program Payments: In Files
        • OpenG2P Program: Documents
        • OpenG2P Program Payment (Payment Hub EE)
        • G2P Programs: REST API
        • G2P Program : Program Registrant Info Rest API
        • OpenG2P Entitlement: Differential
        • G2P Program Payment Manager: Payment Interoperability Layer
        • G2P Program Approval
        • OpenG2P Entitlement Voucher
        • OpenG2P Program Assessment
        • OpenG2P Program Reimbursement
        • OpenG2P Program Registrant Info
        • OpenG2P Program Payment Cash
        • OpenG2P Program Payment Simple Mpesa Payment Manager
        • OpenG2P Programs Cycleless
        • OpenG2P Programs Autoenrol
        • OpenG2P Entitlement In-kind
        • G2P SelfServicePortal
        • OpenG2P Program Payment: G2P Connect Payment Manager
        • G2P Notifications: Wiserv SMS Service Provider
        • G2P: Proxy Means Test
      • openg2p-testing
      • openg2p-fastapi-template
      • openg2p-fastapi-common
        • OpenG2P FastAPI Common
        • OpenG2P FastAPI Auth
        • OpenG2P Common: G2P Connect ID Mapper
      • social-payments-account-registry
      • g2p-cash-transfer-bridge
      • openg2p-deployment
      • openg2p-documentation
      • openg2p-helm
      • openg2p-theme
      • openg2p-portal-api
      • openg2p-mosip
      • openg2p-notifications
      • openg2p-packaging
      • openg2p-importers
        • G2P ODK Importer
      • openg2p-documents
      • openg2p-reporting
      • openg2p-self-service-portal
      • openg2p-portal
      • odoo-json-field
      • spar-ui
      • openg2p-auth
      • openg2p-voucher-scanner-app
      • openg2p-security
      • openg2p-mts
      • server-auth
      • openg2p-data
      • openg2p-esignet
      • spar-load-test
      • 4sure
    • Testing
      • Test Workflow
      • Automation Framework
  • 👩‍💻COMMUNITY
    • Contributing
    • Code of Conduct
  • 📔USER GUIDES
    • Platform Guides
      • Registration
        • Self Register Online
        • ODK
          • Create a Project for a Program
          • Create a Form
          • Upload a Form
          • Upload revised Form
          • Test a Form
          • Publish a Form
          • Provide Form Access to Field Agent
          • Download Form on ODK Collect
          • Delete a Form
          • Register Offline
        • ODK Importer
          • Customize the ODK Importer Configuration based on the ODK Form Fields
      • Authentication
        • Integrate with MOSIP e-Signet
      • Deduplication
        • Deduplicate Registrants
      • Eligibility and Program Enrollment
        • Enrol Registrants into Program
        • Program
          • Create Manager Type
            • Create Eligibility Manager Types
              • Create Default Eligibility Manager
              • Create ID Document Eligibility Manager
              • Create Phone Number Eligibility Manager
            • Create Deduplication Manager Types
              • Create ID Deduplication Manager
              • Create Phone Number Deduplication
            • Create Notification Manager Types
              • Create SMS Notification Manager
              • Create Email Notification Manager
              • Create Fast2SMS Notification Manager
            • Create Entitlement Manager Type
              • Create Default Entitlement Manager
              • Create Voucher Entitlement Manager
            • Create Payment Manager Types
              • Create Payment Hub EE Payment Manager
              • Create Payment Interoperability Layer Payment Manager
              • Create Default Payment Manager
              • Create Cash Payment Manager
              • Create File Payment Manager
          • Create Program
          • Map Self-Service Portal Form
          • Create Eligibility Manager under Program
          • Create Deduplication Manager under Program
          • Create Notification Manager under Program
          • Configure Program Manager under Program
          • Create Entitlement Voucher Template
        • Configuration
          • Configure Proxy Means Test
          • Configure ID Types
          • Configure Entitlement Manager under Program
          • Configure Payment Manager in Program
        • Approval
          • Create and Approve Program Cycle
          • Multi-Stage Approval
        • MTS Connector
          • Create MTS Connector
            • Create ODK MTS Connector
            • Create OpenG2P Registry MTS Connector
        • Settings
          • Create User and Assign Role
        • Website
          • Create Self-Service Portal Form
      • Notification
        • Send Notifications to Individual Registrants
        • Prepare and Send Payment
      • Entitlement
        • Install SmartScanner App
      • Cash Transfer
        • Reimbursement
          • Submit Reimbursement Using the Service Provider Portal
          • Reimburse the service provider
      • Accounting and Reporting
      • SPAR
        • Self Update ID with Financial Address information
        • Admin Guide to Link ID with Financial Address information
      • 4Sure
        • Verify Digital Credentials using 4Sure
        • Verify and Populate the form in ODK Collect using 4Sure
    • Documentation Guides
      • Documentation Guidelines
      • OpenG2P Module Doc Template
  • BLOG
    • Articles
      • OpenG2P and SDG Goals
      • OpenG2P - A Building Block for DPI
    • Case Studies
Powered by GitBook
LogoLogo

Copyright © 2024 OpenG2P. This work is licensed under Creative Commons Attribution International LicenseCC-BY-4.0 unless otherwise noted.

On this page
  • Introduction
  • Key Manager integration
  • Purpose
  • Securing databases
  • Private and public key management
  • Key generation and storage
  • Database encryption
  • Voucher generation security
  • Private/public key pair handling
  • Security best practices
  • Key rotation
  • HSM integration
  • Integration process
  • Key Components:
  • Process steps:
  • Advantages:
  • Code module
  • Future Considerations:
  • Documentation
  • Conclusion
  1. PLATFORM
  2. Privacy and Security

Key Manager

Introduction

OpenG2P recognizes the critical importance of securing sensitive databases, including registrant data and voucher generation. The inclusion of a dedicated Key Manager ensures the protection of private and public keys, enhancing overall system security.

Key Manager integration

Purpose

The Key Manager in OpenG2P serves as a centralized entity responsible for the secure storage, generation, and distribution of cryptographic keys. Its primary functions include:

Securing databases

  • Safeguarding databases containing registrant data and voucher generation records.

  • Protecting against unauthorized access and ensuring data confidentiality.

Private and public key management

  • Storing and managing private keys used for encryption and digital signatures.

  • Distributing public keys for secure communication and verification.

Key generation and storage

  • Utilize the Key Manager to generate strong cryptographic keys.

  • Safely store keys, potentially leveraging Hardware Security Modules (HSMs) for added protection.

Database encryption

  • Employ keys from the Key Manager to encrypt sensitive data in databases.

  • Ensure that only authorized entities with the appropriate keys can access and decrypt the data.

Voucher generation security

  • Implement secure voucher generation processes using keys managed by the Key Manager.

  • Protect against fraudulent activities by securing voucher generation operations.

Private/public key pair handling

  • Manage private keys securely to prevent unauthorized access.

  • Distribute public keys for use in secure communication channels within the OpenG2P ecosystem.

Security best practices

Key rotation

  • Regularly rotate cryptographic keys to mitigate the risk of compromise.

  • Ensure a seamless transition during key rotation to avoid disruptions.

HSM integration

Consider integrating with Hardware Security Modules for enhanced physical and logical key protection.

Integration process

The integration process involves making calls to the KeyManager service deployed in the Kubernetes cluster of OpenG2P. Keycloak provides an access token, which is used as a header for each API request. The primary functionalities are encapsulated within the g2p_encryption module.

Key Components:

  1. Keycloak access token:

    • Obtained from keycloak authentication.

    • Serves as an authorization header for API requests

  2. KeyManager service:

    • Deployed in the kubernetes cluster of openG2P.

    • Exposes various API endpoints for cryptographic operations.

  3. g2p_encryption module:

    • Central module handling cryptographic functionalities.

    • Initiates API calls to the KeyManager service.Process Steps:

Process steps:

  1. Obtain keycloak access token:

    • Authentication with keycloak to acquire an access token.

  2. Initialize g2p_encryption module:

    • Set up an instance of the g2p_encryption module within the openG2P environment.

  3. API requests to KeyManager:

    • Utilize the access token as a header for API requests.

    • Make calls to various KeyManager API endpoints for cryptographic operations.

  4. KeyManager api endpoints:

    • The KeyManager service, deployed in the kubernetes cluster, exposes endpoints for tasks like JWT signing and certificate retrieval.

  5. Integration with odoo:

    • The g2p_encryption module acts as a bridge between KeyManager and odoo.

    • Provides an interface for odoo to perform secure operations using the services offered by KeyManager.

Advantages:

  • Centralized cryptographic operations:

    • All cryptographic operations are centralized within the g2p_encryption module, promoting modular and maintainable code.

  • Secure communication:

    • Utilizing keycloak access tokens ensures secure communication between openG2P and KeyManager.

  • Scalability:

    • Kubernetes deployment facilitates scalability and efficient management of the KeyManager service.

Code module

The system employs a key manager to handle the encryption of registry data. All registry information is stored in an encrypted form, represented as a string. To access the original data, admin must utilize the "decrypt fields" option available in the settings. The key manager is responsible for generating, storing, and managing the encryption keys required for securing and decrypting the registry information. This approach enhances security by ensuring that sensitive data remains unreadable without the appropriate decryption process.

Future Considerations:

  • Error handling:

    • Implement robust error handling mechanisms to gracefully manage exceptions during API calls.

  • Logging and Monitoring:

    • Incorporate logging and monitoring features for tracking API requests and identifying potential issues.

Documentation

Conclusion

Integrating the Key Manager into OpenG2P provides a robust foundation for securing crucial databases and managing cryptographic keys. By following best practices and leveraging the capabilities of the Key Manager, OpenG2P ensures the confidentiality, integrity, and authenticity of sensitive information.

PreviousPrivacy and SecurityNextKey Manager Architecture

Last updated 1 year ago

Refer the following links for deeper understanding of the API's structure and

🍩
Kernel api's
Mosip api documentation