Encrpyt item in Queue

Add sensitive data in the queue however it needs to be encrypt so that neither admin nor anyone else can have access to view this data.

Use Case -

  1. Request comes 24/7 via email or portal.
  2. The requests are validated and processed and added to the queue (SSN id’s and other details).
  3. The systems/applications (Mainframe/web) are up during 09:00 to 17:00
  4. Once the system/application are up the queue items will be processed.
1 Like

Admin (Orchestrator) or DB Admin (SQL)?

1 Like

Admin (Orchestrator)

1 Like

The data will be encrypted in DB therefore a DB Admin won’t be able to steal it.

Two possible implementations:

1.On AddQueueItem add a property SpecificDataEncrypted. SpecificData works exactly like now and won’t be Encrypted. SpecificDataEncrypted won’t be visible in the Orchestrator UI and only a robot can have access to it.

Pros: Full Flexibility to decide what data is Encrypted
Cons: Pressure on the developer to decide which goes Encrypted and which not. He will need to work with two QueueItem properties.

2.In the Orchestrator you have the option to encrypt the queue. Encrypted Queue means the entire Specific Data get Encrypted and not available in UI.

Pros: Centralized governance - decide at the Orchestrator level (and not at the process design level) what queue goes encrypted
Cons: Less flexibility. Everything will be encrypted or everything will be visible. Sometimes you need some data for debug, verify.

Note. This feature is dependent on the ItemIdentifier implementation.

@andrzej.kniola @sajal.chakraborty @richarddenton @b_s Please advise

4 Likes

What about a separate column for data you want to encrypt and a property for these items.

Not saying this is a great idea just thinking out loud…

1 Like

Yes. That’s the first option when you’ll have EncryptedData and SpecificData at the same time.

2 Likes

Cool. Then yes I think that’s the best option as you may want to report
directly on some of the non-sensitive data and wouldn’t be able to if it
was encrypted.

Rich

3 Likes

Also for #1 - flexibility is needed and doing an all-or-nothing will lead to less projects using it, or having a need for external data storage for reportable things.

2 Likes

Is SpecififDataEncrypted a property setting in server side?or it talks about the individual item in ItemCollection as a securestring

1 Like

H Vikas

I have tried to add a secure string in Queue collection and it throws JSON Error. Can you suggest how to encrypt specific items in queue collection in AddQueueItem. Also help me out to understand how the Specific Data Encrypted is to be set

2 Likes

can you elaborate on option 1 . . our client requirement is to encrypt items in queue collections. in option 2 does it hide entire queue in orchestrator or only the item

2 Likes

What is the use case

Have encrypt feature in orchestaror which only encypt specific collection items in queue

How do you see a solution for the use case?

It has to a configurable selection in orchestator made by admin

2 Likes

@badita can you share an example?
I have also tried to add a secure string as an argument (addqueueitem->collection) but it throws Json error.

My requirement is to store some sensitive data like employee name and date of birth in Specific Data, but it has to be encrypded (GDPR regulations).

Was someone able to do it and can share an example?

Thanks,
magda

2 Likes

Do we have any solution on this? We have a customer who wants to store their data in orchestrator Queue, and their major concern is to store it encrypted as it will have sensitive data in it?

Looks like a very old post.

They don’t what to go with cryptography activity as it adds overhead in maintaining Key and there is no way to get the key from the Vault. And they are not okay to store their key in orchestrator.

Can someone suggest is their any way to it?

@loginerror @badita @Vikas.Jain @andrzej.kniola @richarddenton

Hi @Rocki_Jan

For one thing, I saved your question as feedback for our product team to consider. I suppose @badita could share a bit of knowledge here, but I don’t think it is currently possible to automatically encrypt data that is saved in the queue.

Could you explain a bit how you would see this work practically in Studio with the Add Queue Item activity?

What is the use-case. Who do they want to protect the data from?

We realized that encryption (hiding the data in Front End) is actually obfuscation.
They can encrypt the entire database and protect it from a DB admin. It is a feature of SQL Server.

1 Like

That’s something new, what changes are required from orchestrator point if we encrypt entire DB… Do we need to change web.config so that it can read encrypted data. Do you have any document or steps that needs to be followed

Support team has access to orchestrator and all the tenants. They can see all the customer data. Business doesn’t want their data to visible. We can go with Org units or give limited access to support team. But the team who owns Infra are admin of orchestrator and we cannot restrict that.

They want to encrypt all the data while storing in database.(which can be achieved by encrypting entire DB… ) Also they want to mask it from the UI so that apart from robot, no one else would see it.

Even if business team cant see it that fine, their main concern is they don’t want their data to seen outside their BU. Only robot should have access to it.

I tried to explain as much as I can.

Let me now if you want any more information.
Cheers!

is this the link you are referring : https://docs.uipath.com/orchestrator/docs/encrypting-the-sql-server

Note:
Transparent Data Encryption does not concern data in transit or data in use, meaning that if you run any queries on the database, retrieved information is unencrypted.

How would this help. For Data in motion UiPath uses TLS 1.2
Data at rest AES 256 encryption → this is for credentials right?

When we encrypt entire database, it says if you run any queries on the database, retrieved information is unencrypted.

I am sort of unable to understand this?

There are still people that need to access the data (to check failed transaction for example).

So yes, though not perfect you can use org units to restrict access to the data or, in 19.10, folders which are a kind of org units on steroids :). Try it in cloud.