Has anyone implemented CSFLE in anvil?
I’m thinking through ways it could be done safely but getting into a bit of brain loop with it.
I’m kind of stuck on the idea of a key being generated for the session, so it’s time limited and (maybe) passed in the session like nrings in the Docs example, basically. That session key then has a relationship with a master stored in Secrets (tbd).
What’s the best / proper way to proceed, or where should one truffle hunt? Is there an existing pattern? Is CSFLE even possible with Anvil?
A web search
CSFLE - Google Search
indicates that CSFLE is a feature of MongoDB.
You’re connecting an Anvil Client program, running in the browser, directly to MongoDB, bypassing the Anvil Server?
I’m thinking more about an Anvil native way of doing it. Would be immensely powerful.
For connecting to Anvil’s servers, connections are already encrypted. That’s the “s” in “https”.
I haven’t studied MongoDB’s CSFLE, and probably a lot of other readers haven’t either. So perhaps you could elaborate on your particular concept of “it” in “native way of doing it”.
That is,
- which software,
- running where,
is talking to
- which other software,
- running where,
- about what,
over an encrypted channel?
Literally mean the whole thing (CSFLE) natively in Anvil, from a client module to a datatable, no external connections.
Key pair generation can easily be done in a server module. Private key stored in Secrets or similar.
The challenge then is:
-
getting the public key to the user (the most interesting pattern I’ve seen is via expiring token in email, like a magic link method.)
-
encrypting on the client in the user’s session before the data hits a server call.
The end result is that only encrypted data passes over HTTPS to the server, where it can be encrypted again if needs be before going into a datatable.
Using the private key, the data can then be processed on the server side, reencrypted, then passed back to the client, where the decryption takes place on viewing using the issued public key.
I’m open to any ideas really. I’m also sceptical that it could work, but always want to push a concept to see what can be squeezed out of it.
I guess what I’m looking for is, how is this any different from what already happens with HTTPS and Anvil’s database?
With HTTPS, users don’t have to get involved, so they can’t (accidentally or on purpose) screw it up.
It"s just a layer on top of that which, in certain use cases or locations, might be regarded as essential.
The Mongo version, for example, helps with data processing roles in DPIAs.