Create secure microservices writing to a consolidated database

Summary

In this developer code pattern, learn how to build and deploy an application that shows how to interface a key management solution like IBM Cloud™ Hyper Protect Crypto Services with a database back end, such as IBM Cloud Hyper Protect DBaaS for MongoDB. In doing so, you can see how to use an IBM Cloud identity and access management (IAM) API key to authenticate and drive a Key Protect REST API to generate keys used to encrypt information before storing in a database.

Description

A goal of many companies is to reduce costs. If the organization comprises different teams, each owning its own database, it might seem natural to consolidate into a single data layer.

A common pattern in microservices architectures, the single data layer necessitates the teams being able to read and write from the same data layer. If backed by a single database, you might want to restrict access on a per-team basis by doing per-field encryption within the database. Then only a given team with its own key can read its data.

This code pattern is a Node.js application that allows for the creation of keys, one for each team, and to use that key to encrypt some customer data, ahead of being stored in the database. It uses the Key Protect RESTful API provided by an instance of IBM Cloud Hyper Protect Crypto Services, and we’re using IBM Cloud Hyper Protect DBaaS for MongoDB as the database. The application can run in a Docker container — such as Mac or Linux laptop — or on IBM Cloud Hyper Protect Virtual Servers for runtime protection in the public cloud.

When you have completed this code pattern, you will understand how to:

  • Build and run a Docker container
  • Get environment variables in a Node.js app from Docker
  • Create an IBM Cloud IAM API key
  • Drive the IBM Cloud Key Protect REST API, offered by IBM Cloud Hyper Protect Crypto Services

Flow

flow

  1. User views web app and inputs customer information.
  2. App generates a key using Key Protect REST API.
  3. App encrypts customer information using generated key and stores in database.

Instructions

Ready to give it a go? Check out the detailed instructions in the README.

Legend