Selectable External Content Encryption

Some sensitive content must be configured to be encrypted using an external encryption key source. Data that has the attribute [TBD:ExternalEncryption] must be encrypted prior to storage in the underlying cloud provider's storage system. The encryption key for this encryption is pre-established by the operator. The external key providing system is reached via API call from the OSDU data platform service prior to encrypting/decrypting. This call can fail (because the operator has withdrawn consent to decrypt this data in the data platform), thus failures must be handled gracefully.

Operator Input

• ExxonMobil lists this as a requirement to store sensitive data (e.g., annotations, commentary) in the OSDU data platform.

Example: Export data

1. End user requests sensitive data to be exported
2. Data platform service retrieves encrypted data from cloud platform storage
3. Data platform service contacts external key provider to retrieve data key (that decrypts this data element)
4. Choice: a. External key service replies negative: no key found / available. Data platform returns an error code. b. External key service replies with a data key: Data platform decrypts the data and continues normally

Example: Load data

1. End user requests sensitive data to be loaded. Manifest sets the [TBD:ExternalEncryption] in the manifest.
2. Data platform service contacts external key provider to retrieve new data key (that will encrypts this data element)
3. Choice: a. External key service replies negative: no key available. Data platform returns an error code for this file. b. External key service replies with a data key: Data platform encrypts the data with the provided data key and continues normally