We have a requirement to encrypt sensitive data before storing those on queues and during processing, we fetch that data from orchestrator, decrypt and use it.
For this, we are storing our encryption key on orchestrator as type-credential.
Which is why, upon retrieving that key from orchestrator, we have to convert secure string to string before being able to use that key in encrypt/decrypt activities.
Hence, we have a violation of our governance rule (ST-SEC-009 i.e. secure string misusage) enabled at an enterprise level.
Is there a way we can pass encryption key as a secure text which would also comply to our security rule?
@sonaliaggarwal47 : I am not sure why you need Secure string? In the Encryption activity - type your value and assign key to it. In your orchestrator, have the key value as an Asset. In the Decryption activity you can just pass the key and the encryption result to get your decrypted value. I can send you screenshots for reference if you need. Hope this helps.
This means that the encryption key you provide will need to be the same plain text string in the Dispatcher when you encrypt and in the Performer where you decrypt your sensitive information.
We have used this method on datatable columns (Forum Thread) containing sensitive values. Although slow on large datasets, it does work. That said, we did not have a strict policy on the use of secure string usage as you are facing.
What you are currently doing is the only feasible way of using the official UiPath Cryptography library. However the alternative you can try is make your own encrypt and decrypt activities in C# which takes the string to be encrypted or decrypted and a secure string ( encryption key) as inputs and outputs a encrypted or decrypted string. This way you do not need to worry about converting secure string (encryption key) to plain text and will thereby pass the governance requirement as well. Both conversion of secure string and encryption /decryption are performed without any data leak with the C# activity.
I still suggest a normal Symmetric-key encryption in your custom C# activity to keep things simple. Also, ensure you take a backup of the encryption key you use in the orchestrator. This is because if you have to change the key during production you will know what the value was, orchestrator do not show credentials (password) field and it is easy to forget encryption keys
You also may try to look for other encryption / decryption libraries/packages in the market place but my advice is to not use them as they might also not adhere to organizational policy of using 3rd party packages and most often lack clear documentation.
Yes, we have realized that only possible solution would be to have another version of these activities which can accept secure string.
we are in touch with uipath team for same. Challenge is we have this issue across multiple processes/teams and not just for this scenario. We are facing these in other cases as well like connect activity, http request activity headers, http request activity body etc. So instead of we getting this done internally for our use, it would be worth if this is implemented from uipath front itself so other users can also benefit from this
I am sure if any organization would consider enabling governance at an enterprise level, this is gonna block them due to a conflict between studio activity configurations and governance rules functioning.
We have explored enough on this request and also raised this on uipath portal. After extensive search and discussions, solution found is as below:
UiPath team will have the studio package for cryptography upgraded to be able to accept keys in a secure manner.
In the meanwhile, we can go for creation of custom rule to bypass check on this activity or drop down this to warning or create custom package version for cryptography which would accept secure string.