Technical Articles
How to use encryption in chaincode
This post has been inspired by the official SAP Help article on the end-to-end encryption. Here I’d like to follow up the process as it might save time for an astute developer should they decide to implement the same functionality. As per usual, you can find the fully deployable code in my repository.
Prerequisites
It is assumed that your SCP Hyperledger Fabric service instance has already been set up. If not, please follow this great blog for instructions.
Please have a look here for the required development tools.
Why would we use encryption?
We would need to encrypt data submitted to the Hyperledger if it’s confidential (like personal address details or goods prices) and we don’t want it to be stored as plain text in either channels or as private data.
So the payload and the encryption key will be passed directly to the chaincode, where they will be used to produce encrypted value to be persisted to the Hyperledger.
How would we use encryption?
We would pass the payload to the Hyperledger together with an encryption key. It is important that the encryption key is not supposed to be stored in the distributed ledger and, therefore, will be passed in a separate section of the chaincode invocation known as transient field. The transient data is never supposed to be committed to the ledger in order to keep this data private.
We will use the same key for encryption and decryption as this is only a basic example to simulate a shared key usage.
Step 1. Implementing the SAP Help example
Once we’ve got a channel ready, let’s create a service key for it:
Leave all the default values as they are:
And then instantiate the channel using the created key:
Once the channel instance is ready, it can be accessed via dashboard:
Now you can download the chaincode archive, install it on your channel and instantiate it:
Please leave all the default settings. We do not upload any collection config here.
Now the trial peer instance should be up and running with your own chaincode installed on it.
Step 2. Using SAP API Hub to call the chaincode
The API Hub can opened directly from the Hyperledger Fabric Dashboard by the API button in the bottom left corner:
In order to call the Hyperledger Fabric API, we would first need to log in and configure the call environment (this is the destination and additional parameters for the API call). Our trial account will most likely be allocated to the eu10 data centre:
You will need to provide the Client Id, Secret and the identityzone (all these values can be taken from the service key, details of which can be found on the Channel tab of the Hyperledger Fabric Dashboard):
Set the ‘Save this environment for future sessions’ radio button and save. We’re all ready to call the chaincode API.
So, once we’ve chosen the ‘eu10’ config, we can try to call our chaincode via the public invoke end point:
We need to provide the following parameters:
- chaincodeid – this can be taken from the Chaincode tab of the Hyperledger Fabric Dashboard
- version – we can just type latest here
- body – this will contain the following JSON object:
{
"function": "ENCRYPT",
"arguments": [],
"transient": {
"key": "10005",
"value": "Hello Encryption",
"ENCKEY": "DeLOd4rWSkCLrNB/jkgzplY9zYRdfMJvZaaO89GWkOQ="
}
}
Once we execute the call, we should receive status 200 (Success):
The encryption key above must be a base64 value. You can generate one yourself in your Linux (or git for Windows) console by the following command:
openssl rand 32 -base64
Let’s try to decode the value by using the following body payload:
{
"function": "DECRYPT",
"arguments": [],
"transient": {
"key": "10005",
"DECKEY": "DeLOd4rWSkCLrNB/jkgzplY9zYRdfMJvZaaO89GWkOQ="
}
}
We should receive the following response containing our decoded message:
If we try to use an incorrect decryption key, the service will fail:
{
"function": "DECRYPT",
"arguments": [],
"transient": {
"key": "10005",
"DECKEY": "BvKrZJwY63aayOkGolJVK9u2md8/tcZu62HrHxhVVE8="
}
}
Conclusion
This basic example can be developed further into more complex scenarios such as asymmetric key encryption or message content validation using digital signatures. The approach can help provide safe storage and retrieval of data on a blockchain network for authorised peers only.