[CryptoAPI] Outsystem not recommend to change site property run time behaviour in CryptoAPiDemo
Question
cryptoapi
Service icon
Forge component by João Barata
Application Type
Service

Hi,

I noticed that site property is used to store key in Outsystem CreptoAPiDemo application. Outsystem never recommend to change site property runtime. 

We tried to save key in entity. But it get vanish when tried to read. Do you have any example where key stored in entity rather than site property?

Solution

Hi S P,

It is true that we don't recommend updating Site properties at runtime. The reason is that whenever a site property is updated, the module cache and its consumers will be invalidated and reloaded again.

However, in the demo, you will notice that the Site property is only set once when the private key has not yet been initialized. This has the same impact as going to Service Center and manually updating the Site property.
Doing it once in a while is not harmful, however, doing it over and over again can lead to performance issues as per the article above.

As for alternatives, you can store the key on the database or even retrieve the key from a third-party key store management service, e.g: AmazonKMS.

If you are storing the value on the database, you should follow the same logic as in the Site Property example.

  1. Check if you already have a key generated on the database
  2. If you have the key on the database, use the ReadKey and return its value to the application to encrypt/decrypt data, if you don't have the key on the database go to step 3.
  3. Generate a new key
  4. Store key on the database using the result of the SaveKey action
  5. Return key to the application to encrypt/decrypt data

If you notice, we only generate a key if you haven't generated the key yet.

Please refer to the envelope encryption diagrams on our documentation:
https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/Data_Encryption_at_Rest#How_to_fully_encrypt_your_sensitive_data

why you need to change during run time, API key should be same you just update in the first deployment and when needed in the site property. we have used keys in etitied and it is working fine. make sure you are calling the api after geting the key. it could by async call happening. check your logic

Solution

Hi S P,

It is true that we don't recommend updating Site properties at runtime. The reason is that whenever a site property is updated, the module cache and its consumers will be invalidated and reloaded again.

However, in the demo, you will notice that the Site property is only set once when the private key has not yet been initialized. This has the same impact as going to Service Center and manually updating the Site property.
Doing it once in a while is not harmful, however, doing it over and over again can lead to performance issues as per the article above.

As for alternatives, you can store the key on the database or even retrieve the key from a third-party key store management service, e.g: AmazonKMS.

If you are storing the value on the database, you should follow the same logic as in the Site Property example.

  1. Check if you already have a key generated on the database
  2. If you have the key on the database, use the ReadKey and return its value to the application to encrypt/decrypt data, if you don't have the key on the database go to step 3.
  3. Generate a new key
  4. Store key on the database using the result of the SaveKey action
  5. Return key to the application to encrypt/decrypt data

If you notice, we only generate a key if you haven't generated the key yet.

Please refer to the envelope encryption diagrams on our documentation:
https://success.outsystems.com/Support/Enterprise_Customers/Maintenance_and_Operations/Data_Encryption_at_Rest#How_to_fully_encrypt_your_sensitive_data

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.