NAct Postgres Encryption

A postgres persistence plugin for NAct that allows for encrypting fields on a per persisted record type basis. This allows for security and compliance in Event Sourced systems.

NOTE: This is Community Plugin and not officially supported by the Nact maintainers.

Usage

When persisting an event, pass an annotations parameter with at least the key encrypt to aes-256 encrypt the value of the property. This also supports sha256, hmac, md5, and bcrypt encryption.

persist(msg, tags, {
    "encrypt": {
      "my_obj_prop": "aes",
      "my_nested_obj_prop.my_obj_prop": "sha256",
      "my_array_prop": "hmac",
      "my_string_prop": "bcrypt",
      "my_int_prop": "md5",
      "my_float_prop": "bcrypt6",
      "my_float_prop2": "bcrypt7",
      "my_float_prop3": "bcrypt8"
    }
})

The result will look similar to this:

  data: {
    {
      "my_not_encrypted_prop": "Hello World",
      "my_obj_prop": "\\xc30d04090302e305761f7309aaa67fd240012c6396acd2b7cfa9d559db640559711f72bdce19dbb9fe9545eebb8f32612929d7765e2dfee91655ad87e73d25ee1c9e43cb92f7e356061d9a798ae3bc8987"}
  }

Then, if the need to ever scramble the encryption key (Effectively "Forget" a value), call the scrambleEncryption function. This will rotate the encryption key and make the property value unrecoverable. When the aggregated state is rebuilt, the scrambled value will be present while keeping the event journal intact.

Additionally, this plugin adds a metadata column, so that environment specific variables for an event/snapshot can be stored and retrieved.

persist(msg, [], {}, {
    "ip": "127.0.0.1"
})

License