Securing Enterprise Data: GrowingIO’s KMS‑Driven Runtime and PII Encryption
This article explains the definition and importance of data security, describes GrowingIO’s implementation of software runtime protection and static storage encryption using KMS, details data logic isolation, PII management with AES‑256 encryption, and provides code examples for configuring and using these security measures in cloud environments.
What is Data Security
According to Article 3 of the PRC Data Security Law, data security means taking necessary measures to ensure data is effectively protected and lawfully utilized, and to maintain a continuously safe state.
Why Enterprises Need Data Security
In today’s internet era, attackers can steal personal or confidential corporate information through network attacks and deception. Once personal data is obtained, it can uniquely identify individuals, making confidentiality crucial.
GrowingIO Data Security Implementation
To guarantee customer data safety, GrowingIO builds a secure software runtime and encrypts static data storage, enhancing data production security.
Software Runtime Security
Runtime security, i.e., system operation security, includes two aspects:
Data Logic Isolation : The system uses user permissions and roles to define exclusive data operation sets.
KMS Key Management : Databases and middleware rely on a Key Management Service so that leaked keys do not lead to data breaches.
All platform users are assigned roles and permissions via an RBAC model; only users with the appropriate role can view or perform corresponding operations.
KMS (Key Management Service) solutions from cloud providers such as AWS and Alibaba Cloud support various databases, middleware, and application keys. After enabling KMS, usernames, passwords, and static encryption keys become invisible to developers.
Static Storage Security – PII Management
PII (Personally Identifiable Information) refers to any data that can identify a specific individual. Protecting PII is essential for privacy and security because even a small amount of personal data can be used to create fraudulent accounts or sell identities.
GrowingIO encrypts all sensitive user data at rest using AES‑256 (AES/CBC/PKCS5Padding). Encryption is applied when data is stored; decryption is allowed only for authorized users.
Configuration Example (AWS)
<code>kms:
enabled: false
aws:
region: ""
access_key_id: ""
secret_access_key: ""
# Application configuration
spring:
redis:
kms-key: "test/json/redis"
datasource:
kms-key: "test/postgresql/accounts"
</code>Runtime Initialization Example (PostgreSQL HikariCP)
<code>@Bean
@ConditionalOnProperty(value = "kms.enabled", havingValue = "true")
public HikariDataSource dataSource(DataSourceProperties properties, KmsProperties kms, Configs configs) {
SecretsManagerClient client = SecretsManagerClientBuilder.build(kms.getRegion(), kms.getAwsAccessKeyId(), kms.getAwsSecretAccessKey());
AwsSecretProvider secretProvider = new AwsSecretProvider(client);
String secret;
try {
secret = secretProvider.getSecret(configs.getDataSourceKmsKey());
// secret is JSON with connection info
HashMap<String, String> map = Jackson.readValue(secret, HashMap.class);
String url = String.format("jdbc:postgresql://%s:%s/%s?useUnicode=true&useSSL=false&characterEncoding=utf8",
map.get("host"), map.get("port"), map.get("dbname"));
properties.setUrl(url);
properties.setUsername(map.get("username"));
properties.setPassword(map.get("password"));
} catch (Exception e) {
log.error("kms database error", e);
}
HikariDataSource dataSource = properties.initializeDataSourceBuilder()
.type(HikariDataSource.class).build();
if (StringUtils.hasText(properties.getName())) {
dataSource.setPoolName(properties.getName());
}
return dataSource;
}
</code>Any database or middleware can use KMS to manage credentials securely.
PII Encryption/Decryption
<code>// KMS method
SecretsManagerClient client = SecretsManagerClientBuilder.build(kms.getRegion(), kms.getAwsAccessKeyId(), kms.getAwsSecretAccessKey());
AwsSecretProvider secretProvider = new AwsSecretProvider(client);
String secret = secretProvider.getSecret("test/pii/json");
// secret is JSON
HashMap<String, String> map = Jackson.readValue(secret, HashMap.class);
String algorithmIv = map.getOrElse("algorithm_iv", "");
String iv = DatatypeConverter.parseHexBinary(algorithmIv);
String encryptionKey = DatatypeConverter.parseHexBinary(map.get("encryption_key"));
String decryptionKey = DatatypeConverter.parseHexBinary(map.get("decryption_key"));
</code>After PII processing, sensitive data is stored encrypted in the database; the front‑end renders decrypted values only for users with appropriate permissions.
Only administrators see decrypted data after login.
FAQ
IV support : AES_ECB_PKCS5Padding does not support an IV, while AES_CBC_PKCS5Padding does and is more secure. Existing AES implementations may need compatibility adjustments.
Base64 line length : When encrypted strings exceed 76 characters, Java’s Base64 adds line breaks, causing parsing errors. Use the RFC4648 encoder (no line breaks) to avoid this issue.
<code>private static final int MIMELINEMAX = 76;
private static final byte[] CRLF = new byte[] {'\r', '\n'};
static final Encoder RFC2045 = new Encoder(false, CRLF, MIMELINEMAX, true);
static final Encoder RFC4648 = new Encoder(false, null, -1, true);
static final Encoder RFC4648_URLSAFE = new Encoder(true, null, -1, true);
</code>GrowingIO Tech Team
The official technical account of GrowingIO, showcasing our tech innovations, experience summaries, and cutting‑edge black‑tech.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.