The data will be encrypted in DB therefore a DB Admin won’t be able to steal it.
Two possible implementations:
1.On AddQueueItem add a property SpecificDataEncrypted. SpecificData works exactly like now and won’t be Encrypted. SpecificDataEncrypted won’t be visible in the Orchestrator UI and only a robot can have access to it.
Pros: Full Flexibility to decide what data is Encrypted Cons: Pressure on the developer to decide which goes Encrypted and which not. He will need to work with two QueueItem properties.
2.In the Orchestrator you have the option to encrypt the queue. Encrypted Queue means the entire Specific Data get Encrypted and not available in UI.
Pros: Centralized governance - decide at the Orchestrator level (and not at the process design level) what queue goes encrypted Cons: Less flexibility. Everything will be encrypted or everything will be visible. Sometimes you need some data for debug, verify.
Note. This feature is dependent on the ItemIdentifier implementation.
Cool. Then yes I think that’s the best option as you may want to report
directly on some of the non-sensitive data and wouldn’t be able to if it
was encrypted.
Also for #1 - flexibility is needed and doing an all-or-nothing will lead to less projects using it, or having a need for external data storage for reportable things.
I have tried to add a secure string in Queue collection and it throws JSON Error. Can you suggest how to encrypt specific items in queue collection in AddQueueItem. Also help me out to understand how the Specific Data Encrypted is to be set
can you elaborate on option 1 . . our client requirement is to encrypt items in queue collections. in option 2 does it hide entire queue in orchestrator or only the item
Do we have any solution on this? We have a customer who wants to store their data in orchestrator Queue, and their major concern is to store it encrypted as it will have sensitive data in it?
Looks like a very old post.
They don’t what to go with cryptography activity as it adds overhead in maintaining Key and there is no way to get the key from the Vault. And they are not okay to store their key in orchestrator.
For one thing, I saved your question as feedback for our product team to consider. I suppose @badita could share a bit of knowledge here, but I don’t think it is currently possible to automatically encrypt data that is saved in the queue.
Could you explain a bit how you would see this work practically in Studio with the Add Queue Item activity?
What is the use-case. Who do they want to protect the data from?
We realized that encryption (hiding the data in Front End) is actually obfuscation.
They can encrypt the entire database and protect it from a DB admin. It is a feature of SQL Server.
That’s something new, what changes are required from orchestrator point if we encrypt entire DB… Do we need to change web.config so that it can read encrypted data. Do you have any document or steps that needs to be followed
Support team has access to orchestrator and all the tenants. They can see all the customer data. Business doesn’t want their data to visible. We can go with Org units or give limited access to support team. But the team who owns Infra are admin of orchestrator and we cannot restrict that.
They want to encrypt all the data while storing in database.(which can be achieved by encrypting entire DB… ) Also they want to mask it from the UI so that apart from robot, no one else would see it.
Even if business team cant see it that fine, their main concern is they don’t want their data to seen outside their BU. Only robot should have access to it.
I tried to explain as much as I can.
Let me now if you want any more information.
Cheers!
Note:
Transparent Data Encryption does not concern data in transit or data in use, meaning that if you run any queries on the database, retrieved information is unencrypted.
How would this help. For Data in motion UiPath uses TLS 1.2
Data at rest AES 256 encryption → this is for credentials right?
When we encrypt entire database, it says if you run any queries on the database, retrieved information is unencrypted.
There are still people that need to access the data (to check failed transaction for example).
So yes, though not perfect you can use org units to restrict access to the data or, in 19.10, folders which are a kind of org units on steroids :). Try it in cloud.