APIM-Encrypt payload data

Question

APIM-Encrypt payload data

SIMANCHALA MISHRA 40

Hi Team,

We are as part of Banking project and handling most critical payload data.

When there is a request and response from the Transfer API we want to do encrypt the account data in Azure APIM.

Is there a way to do the encryption in Azure APIM to protect the payload data.

Please provide your inputs on this

Regards,

Simanchala Mishra

Accepted answer

0 additional answers

Your answer

Answer 1

navba-MSFT 27,550 Microsoft Employee Moderator

@SIMANCHALA MISHRA Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

I understand that you are checking for a way to encrypt account data in Azure APIM to protect the payload data for a banking project.

From the Security standpoint, Azure API Management supports multiple versions of Transport Layer Security (TLS) protocol to secure API traffic for:

Client side
Backend side

API Management also supports multiple cipher suites used by the API gateway.

By default, API Management enables TLS 1.2 for client and backend connectivity and several supported cipher suites. This guide shows you how to manage protocols and ciphers configuration for an Azure API Management instance.

APIM also abides by the Azure Data Encryption at rest.

To enable message encryption in Azure APIM for the Request body payload, you can use policies. Policies are a powerful feature in Azure APIM that allow you to modify the behavior of API requests and responses.

We have a sample policy which you could start with: https://github.com/Azure/api-management-policy-snippets/blob/master/examples/Encrypt%20data%20using%20expressions.policy.xml.

Within the docs we do show that you have access to various Encrypt and Decrypt methods: https://docs.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#ref-context-request.

Also note that APIM encrypts all sensitive data (policies, secret named values, subscription keys) using per-service, Microsoft managed encryption keys. The keys are stored in Azure Key Vault (owned by Microsoft).

For more information on how to use policies in Azure APIM, you can refer to the following documentation:

Azure API Management policies
Security Baseline for APIM: https://docs.microsoft.com/en-us/azure/api-management/security-baseline#48-encrypt-sensitive-information-at-rest

I hope this information helps you encrypt the payload data in Azure APIM. Let me know if you have any further questions or concerns.

**
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

SIMANCHALA MISHRA 40 Reputation points

2023-08-28T08:28:31.9066667+00:00

Thanks for the quick response. Gone through the code and I have few questions.

1 Can we use the same code for public and private key concept for the encryption.

2.After adding those can it hit the performance degradation as already, we have pre and post login policy exist for the token authentication.

3.Is it a good practice to add the encryption algorithm in the APIM side.

Regards,

Simanchala
navba-MSFT 27,550 Reputation points Microsoft Employee Moderator

2023-08-28T09:19:09.7566667+00:00
@SIMANCHALA MISHRA Thanks for getting back. Please find below the answers to your question inline:

1. Can we use the same code for public and private key concept for the encryption.
You can use the same code for public and private key encryption in Azure APIM. Public key encryption is often used for scenarios where you want to encrypt data that can only be decrypted by a specific recipient with the corresponding private key. Private key encryption is typically used for signing rather than encrypting, but it's possible to adapt the same structure for different cryptographic operations. Keep in mind that public and private key encryption is generally more resource-intensive than symmetric encryption (using the same key for both encryption and decryption).

On a side note, We do have a sample policy snippet: Encrypt data using expressions.policy to encrypt text using AES algorithm and if you want to modify it for decrypt scenario like below (default mode is CBC):

<set-body>@{ byte[] IV = System.Text.Encoding.UTF8.GetBytes("5183666c72eec9e4"); byte[] Key = System.Text.Encoding.UTF8.GetBytes("bf3c199c2470cb477d907b1e0917c17b"); byte[] textinBytes = Encoding.UTF8.GetBytes("cipherText"); byte[] decryptedBytes = textinBytes.Decrypt("Aes", Key, IV); string plaintext = Convert.ToBase64String(decryptedBytes); return plaintext; }</set-body>

**

2.After adding those can it hit the performance degradation as already, we have pre and post login policy exist for the token authentication.**

Encrypting and decrypting data can indeed introduce some performance overhead due to the computational complexity of encryption algorithms, especially for large payloads. However, the actual impact on performance would depend on factors like the size of the data, the encryption algorithm used, the underlying hardware, and the efficiency of your encryption implementation. You should definitely test the performance impact in a controlled environment to ensure that it meets your application's performance requirements.

To mitigate potential performance impacts, you might consider implementing caching strategies, optimizing the encryption code.

**

3.Is it a good practice to add the encryption algorithm in the APIM side.**

It's generally recommended to perform encryption and decryption operations at the application layer, rather than in the API gateway (APIM). The API gateway's main role is to manage, secure, and route API requests, not to perform heavy cryptographic operations. Here are some reasons for that:

Resource Limitations: API gateways are designed for high-throughput request handling and routing. Performing encryption within the gateway can strain its resources, affecting overall performance.

Scalability: Separating encryption into a dedicated application layer allows for better scalability. You can scale your encryption layer independently based on demand without affecting the gateway's performance.

Instead of performing encryption within the API gateway, consider implementing encryption logic in the backend services that handle API requests. This way, you can maintain better control over encryption, key management, and performance.

Remember that encryption is just one part of a comprehensive security strategy. Other layers, such as proper authentication, authorization, and secure communication protocols, also play critical roles in protecting sensitive data. Hope this answers.

Share via

APIM-Encrypt payload data

0 additional answers

Your answer