UiPath.Cryptography.Activities package doesn't provide a way to pass encryption key in a secure way

Hi All,

We have a requirement to encrypt sensitive data before storing those on queues and during processing, we fetch that data from orchestrator, decrypt and use it.

For this, we are storing our encryption key on orchestrator as type-credential.
Which is why, upon retrieving that key from orchestrator, we have to convert secure string to string before being able to use that key in encrypt/decrypt activities.

Hence, we have a violation of our governance rule (ST-SEC-009 i.e. secure string misusage) enabled at an enterprise level.

Is there a way we can pass encryption key as a secure text which would also comply to our security rule?

Please suggest.

Regards
Sonali

1 Like

Hi ,

“Type Secure Text” activity can be used , with which convert to regular string can be ignored.

Hi Krishna,

Thank you for your response.

However, our requirement is not to use type activity but encrypt/decrypt activity which doesn’t provide a way to pass secure string currently.

Hence, I am looking to understand if there is any other way to achieve this which I am not aware of.

Regards
Sonali

Hi @AndrewHall @loginerror @Paul_Boulescu,

Looping you in here to seek your inputs as this is also related to governance.

This activity usage is interferring with our governance rule ST-SEC-009.

Regards
Sonali

@sonaliaggarwal47 : I am not sure why you need Secure string? In the Encryption activity - type your value and assign key to it. In your orchestrator, have the key value as an Asset. In the Decryption activity you can just pass the key and the encryption result to get your decrypted value. I can send you screenshots for reference if you need. Hope this helps.

Hi @sonaliaggarwal47,

Quite an interesting question. We have had the same challenge before. This request is tricky, here’s why:

UiPath Cryptography library uses a Symmetric-key encryption see docs
https://docs.uipath.com/activities/docs/encrypt-text.

This means that the encryption key you provide will need to be the same plain text string in the Dispatcher when you encrypt and in the Performer where you decrypt your sensitive information.

We have used this method on datatable columns (Forum Thread) containing sensitive values. Although slow on large datasets, it does work. That said, we did not have a strict policy on the use of secure string usage as you are facing.

What you are currently doing is the only feasible way of using the official UiPath Cryptography library. However the alternative you can try is make your own encrypt and decrypt activities in C# which takes the string to be encrypted or decrypted and a secure string ( encryption key) as inputs and outputs a encrypted or decrypted string. This way you do not need to worry about converting secure string (encryption key) to plain text and will thereby pass the governance requirement as well. Both conversion of secure string and encryption /decryption are performed without any data leak with the C# activity.

I still suggest a normal Symmetric-key encryption in your custom C# activity to keep things simple. Also, ensure you take a backup of the encryption key you use in the orchestrator. This is because if you have to change the key during production you will know what the value was, orchestrator do not show credentials (password) field and it is easy to forget encryption keys :slight_smile:

You also may try to look for other encryption / decryption libraries/packages in the market place but my advice is to not use them as they might also not adhere to organizational policy of using 3rd party packages and most often lack clear documentation.

Hope this helps you.

1 Like

You can see my response on a parallel thread Uipath.Web.activities.HttpClient usage violates security rule ST-SEC-009 - #3 by AndrewHall

2 Likes

Hi @Pradeep.Robot,

Thank you for your response. Secure string was needed bcoz encryption key is being saved on orchestrator as a cred asset.

Regards
Sonali

Thank you @jeevith for your response.

Indeed a wonderful addition!!

Yes, we have realized that only possible solution would be to have another version of these activities which can accept secure string.
we are in touch with uipath team for same. Challenge is we have this issue across multiple processes/teams and not just for this scenario. We are facing these in other cases as well like connect activity, http request activity headers, http request activity body etc. So instead of we getting this done internally for our use, it would be worth if this is implemented from uipath front itself so other users can also benefit from this :slight_smile:
I am sure if any organization would consider enabling governance at an enterprise level, this is gonna block them due to a conflict between studio activity configurations and governance rules functioning.

And yes thanks for your tip on backing up keys!!

Regards
Sonali

Hi Guys,

We have explored enough on this request and also raised this on uipath portal. After extensive search and discussions, solution found is as below:

UiPath team will have the studio package for cryptography upgraded to be able to accept keys in a secure manner.
In the meanwhile, we can go for creation of custom rule to bypass check on this activity or drop down this to warning or create custom package version for cryptography which would accept secure string.

Hope this info helps someone.

Regards
Sonali

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.