Select n1ql query to access encrypted data using Java SDK 2.6.2

n1ql

#1

Hi, i am using couchbase 5.5 and couchbase Java SDK 2.6.2. I have below fields in bucket ‘testdata’
1> accountNo
2> name
3> address
4> other information
accountNo and address data stored using couchbase encryption . How’s the way to get specific accountNo data using select query in Java SDK.
for example query is : select * from testdata where accountNo= $accountNo
if accountNo = 123 passed by client then it will not matched with encrypted data so what the way to get this data.
i already tried to encrypt this accountNo and try to match but every time encrypted value is different.

It will be really helpful if someone can suggest on this . i am struck in this place


Feedback Wanted: Field Level Encryption
Couchbase Encryption
#2

@ajayawasthi this will not work and is the whole point of client-side encryption. Fields that you encrypt with our client-side encryption feature on the client side will not be decodable by other services like the query engine.


#3

@daschl i am trying to access using same application. i mean my one set function is to insert encrypted data and get function will be used to retrieve data using query .
Are you mean to say that we can not encrypted key fields which we are using to select data .


#4

@ajayawasthi you can select and return encrypted fields from N1QL but you need to do the decryption on the client side. There is no way the N1QL engine can look into your encrypted data, that would defeat its purpose.


#5

@daschl i am agree with you but how can i match accountNo =123 with encrypted value. When i am trying to encrypted this value in my client side code then it’s encrypted value is different from store one (i think encryption data is random generated).


#6

Hi @ajayawasthi

Every time the SDK encrypts a value, it uses a randomly generated Initialization Vector (IV), resulting in different cyphertext each time, even if the plaintext is the same. It’s not possible do a N1QL query matching on the encrypted value, because in order to generate an identical encrypted value you’d need to use the same IV.

Thanks,
David


#7

Hi @david.nault @subhashni
I am new in this area . I have change code of encrypt function to take IV same everytime in encryption 1.0.0 in my local environment instead of my client code.
Is it the right way to do this or some other way?
Please let me know if some other way possible .Please give me example if other way possible .It will be really helpful for me to continue.


#8

Sorry, I guess I confused the issue by talking about the Initialization Vector (IV). I was just trying to explain why what you want to do is not possible: you could theoretically reproduce the encrypted form if you know the IV, but in order to know the IV you need to already have the document. But if you already have the document, there’s no need to query for it!

For all practical purposes, it is not possible to query for the plaintext value of encrypted fields.


#9

Just to expand on this, we took this approach intentionally as the users requesting encryption were most primarily concerned with securing fields they wouldn’t query based on. Carrying the keys to decrypt to other parts of the system increases risk, but enables more features as you can imagine.

We expect to expand on this in the future, and @don would probably be interested in any further feedback/info.

Also, one thing you can do is execute queries for documents based on other fields, retrieve the key/id and then fetch the document. You can even do this with Java code in a streaming fashion so it’s nice and concurrent. The field level encryption would then just do it’s part.

Out of curiosity, can you share the use case around this field you’re querying on?