Skip to content

Commit

Permalink
docs: add encrypt operations sequence diagram
Browse files Browse the repository at this point in the history
heitorlessa committed Dec 12, 2023
1 parent 410ed3b commit 42a682b
Showing 1 changed file with 27 additions and 2 deletions.
29 changes: 27 additions & 2 deletions docs/utilities/data_masking.md
Original file line number Diff line number Diff line change
@@ -186,7 +186,7 @@ For more information about the parameters for this provider, please see the [AWS

The following sequence diagrams explain how `DataMasking` behaves under different scenarios.

#### Masking operation
#### Mask operation

Masking operations occur in-memory and we cannot recover the original value.

@@ -201,12 +201,37 @@ sequenceDiagram
Lambda->>DataMasking: .mask(data)
DataMasking->>DataMasking: replaces data with *****
Note over Lambda,DataMasking: No encryption providers involved.
DataMasking->>Lambda: return masked data
DataMasking->>Lambda: data masked
Lambda-->>Client: Return response
```
<i>Simple masking operation</i>
</center>

#### Encrypt operation with Encryption SDK (KMS)

We call KMS to generate an unique data key once. It allows us to encrypt this key in-memory, and use it for multiple operations to improve performance and prevent throttling.

> This is known as [envelope encryption](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping){target="_blank"}.
<center>
```mermaid
sequenceDiagram
autonumber
participant Client
participant Lambda
participant DataMasking as Data Masking
participant EncryptionProvider as Encryption Provider
Client->>Lambda: Invoke (event)
Lambda->>DataMasking: encrypt(data)
DataMasking->>EncryptionProvider: Request unique data key (kms:GenerateDataKey)
DataMasking->>DataMasking: Encrypt data key with wrapping key (in-memory)
DataMasking->>DataMasking: Encrypt data with newly encrypted key (in-memory)
DataMasking->>Lambda: ciphertext containing encrypted data
Lambda-->>Client: Return response
```
<i>Encrypting operation using envelope encryption.</i>
</center>

## Testing your code

For unit testing your applications, you can mock the calls to the data masking utility to avoid calling AWS APIs. This can be achieved in a number of ways - in this example, we use the pytest monkeypatch fixture to patch the `data_masking.decrypt` method.

0 comments on commit 42a682b

Please sign in to comment.