Encryption Proxy Guide

🔐 Purpose

This configuration is used to run Encryption Proxy as middleware to encrypt sensitive data fields (PII) in PostgreSQL databases - for example in applications like Keycloak.

---

📁 Configuration Structure

1. 🔖 License

license:
  file: "/etc/app/licenses.pem"

• License file for running Encryption Proxy.

---

2. 📝 Logging

log:
  level: trace
  format: pretty
  sync: false

• level: Level log (trace, debug, info, dll.)

• format: Format log (pretty, json)

• sync: If true, the log is directly written to the output.

---

3. 🌐 Server Settings

server:
  enabled: true
  listen: "0.0.0.0:9191"
  metrics_enabled: true
  services_enabled: true

• Enable the internal API server.

• Can be used to expose Prometheus metrics or other internal endpoints.

---

4. 💾 Storage (Token Cleanup / Persistence)

storage:
  driver: "sqlite"
  cleanup_token_interval: 30
  sqlite_config:
    path: "/var/run/proxy"
    in_memory: false

• Set up an internal storage driver (for token/session management).

• cleanup_token_interval: in seconds.

---

5. 🔐 Encryption Settings

encryption:
  default_algorithm: "aes-128-gcm"
  envelope: false
  provider:
    database:
      id: "env"
      default: true
      key_prefix: "ENC_KEY_V"

• Default algoritma: AES-GCM 128 bit.

• Provider ID and prefix key for retrieval from the environment or KMS.

---

6. 🔁 PostgreSQL Proxy

proxy:
  postgres:
    enabled: true
    listen: "0.0.0.0:5432"
    upstream:
      host: postgresql:5432

• Enable PostgreSQL proxy.

• The proxy will listen for connections on port 5432 and forward them to the original DB.

---

7. 🛡️ Encryption Rules

rules:
  sql:
    <database_name>:
      compatibility_mode: true
      scheme: public
      log_original_query: false
      write:
        <table_name>:
          <field_name>:
            hash: true
          username:
            hash: true
          email:
            hash: true
          first_name:
            hash: true
          last_name:
            hash: true
        user_attribute:
          value:
            hash: true

• Rules for writing fields that you want to encrypt/hash.

• compatibility_mode: true allows fallback to plaintext if fields are not encrypted (useful during initial migration).

• The rule above targets a database named <database_name>.

---

✅ Full File Example: config.yaml

license:
  file: "/etc/app/licenses.pem"

log:
  level: trace
  format: pretty
  sync: false

server:
  enabled: true
  listen: "0.0.0.0:9191"
  metrics_enabled: true
  services_enabled: true

storage:
  driver: "sqlite"
  cleanup_token_interval: 30
  sqlite_config:
    path: "/var/run/proxy"
    in_memory: false

encryption:
  default_algorithm: "aes-128-gcm"
  envelope: false
  provider:
    database:
      id: "env"
      default: true
      key_prefix: "ENC_KEY_V"

proxy:
  postgres:
    enabled: true
    listen: "0.0.0.0:5433"
    upstream:
      host: postgresql:5432

rules:
  sql:
    keycloak:
      compatibility_mode: true
      scheme: public
      log_original_query: false
      write:
        user_entity:
          username:
            hash: true
          email:
            hash: true
          email_constraint:
            hash: true
          first_name:
            hash: true
          last_name:
            hash: true
        user_attribute:
          value:
            hash: true

---