DEV Community: Mostefa Brougui The latest articles on DEV Community by Mostefa Brougui (@mostefa_brougui). https://dev.to/mostefa_brougui https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1336290%2Fb43cb0cd-e30c-4c0b-87f2-6d874f783934.jpeg DEV Community: Mostefa Brougui https://dev.to/mostefa_brougui en Enhancing Data Security with Spark: A Guide to Column-Level Encryption - Part 2 Mostefa Brougui Sun, 22 Dec 2024 17:19:50 +0000 https://dev.to/aws-builders/enhancing-data-security-with-spark-a-guide-to-column-level-encryption-part-2-55a0 https://dev.to/aws-builders/enhancing-data-security-with-spark-a-guide-to-column-level-encryption-part-2-55a0 <p>This post describes how you can build an AWS Glue ingestion job with PySpark <code>aes_encrypt()</code> function to encrypt sensitive columns. It is part of a series that shows how column-level encryption can be deployed at scale using AWS Glue, AWS KMS and Amazon Athena or Amazon Redshift.</p> <h2> Introduction </h2> <p>In this post, I demonstrate setting up an AWS Glue ingestion job to encrypt sensitive columns using AWS KMS. We will also explore key management approaches and their impact on organizational security practices.</p> <p>In the <a href="https://www.mostefabrougui.com/posts/column-level-encryption-with-spark-part1/" rel="noopener noreferrer">previous post</a>, I introduced column-level encryption using a Jupyter Notebook and a static AWS KMS-generated data key. While useful for learning, hardcoding encryption keys is insecure and impractical for production. Instead, encryption keys should be dynamically managed and accessed securely at runtime.</p> <p><a href="https://docs.aws.amazon.com/glue/" rel="noopener noreferrer">AWS Glue</a> is a "scalable, serverless data integration service that simplifies data discovery, preparation, and combination for analytics, machine learning, and application development." Glue's ability to attach IAM roles to jobs allows seamless interaction with other AWS services like S3 and KMS, enabling tasks such as data ingestion, manipulation (e.g., encryption/decryption), and storage.</p> <p>We will also address key management questions: How should your Glue job encrypt sensitive columns? Where should encryption material be stored? Who should have access to it?</p> <p>Let’s dive in!</p> <h2> Getting Started </h2> <h3> Prepare Your Environment </h3> <p>To set up your AWS Glue for the first time, from the AWS Management Console:</p> <ul> <li>Open the AWS Glue console and select <strong>Prepare your account for AWS Glue</strong>.</li> <li>You can ignore <strong>Choose IAM users and roles for AWS Glue</strong> and choose <strong>Next</strong> if you'll be perfoming the next steps using your current role. Otherwise, select the IAM roles or users (I don't recommend using IAM users) that need to have access.</li> <li>Under <strong>Grant Amazon S3 access</strong>, choose <strong>Next</strong> unless you want to edit the options selected by default. For the sake of this article, I granted access to all my S3 buckets. You will not do the same in a Production setting.</li> <li>Under <strong>Choose a default service role</strong>, keep the default settings and choose <strong>Next</strong>, unless you have an existing IAM role for Glue.</li> <li>Review and confirm your changes by choosing <strong>Apply changes</strong>.</li> </ul> <p>To start building your ingestion job, create a Glue notebook by following the steps below.</p> <ul> <li>From the AWS Glue console, on the left pane, under <strong>ETL jobs</strong>, choose <strong>Notebooks</strong>.</li> <li>On the page <strong>Create job</strong>, select <strong>Notebook</strong> under <strong>Author using an interactive code notebook</strong>.</li> <li>On the <strong>Notebook</strong> pop-up, keep the default settings and choose <strong>Create notebook</strong>.</li> </ul> <p>AWS Glue will spin-up a Glue Studio notebook for you. Start by running the cell that initializes the Glue job and wait for <code>Waiting for session &lt;GUID&gt; to get into ready status...</code>. Your notebook is ready !</p> <h2> Encrypting Sensitive Columns with aes_encrypt() </h2> <p>Now that your Glue job is ready, let’s encrypt specific columns in your dataset using the PySpark function <code>aes_encrypt()</code>. We’ll build a reusable Python module, <code>ColEncrypt</code>, to handle both encryption and decryption, simplifying column-level encryption management in your Glue jobs.</p> <h3> Key Components </h3> <ul> <li>KeyManager: Manages the creation and decryption of Data Encryption Keys (DEKs) using AWS KMS.</li> <li>ColEncrypt: Handles column encryption and decryption, leveraging PySpark's built-in AES functions.</li> </ul> <p>These two components work together to provide a flexible, an almost production-ready solution for column-level encryption with better error handling and monitoring.</p> <p>The source code is <a href="https://github.com/MostefaB/column-level-encryption-with-spark/blob/main/glue_job_notebook_test.py" rel="noopener noreferrer">here</a>.</p> <h3> Setting Up Key Management </h3> <p>Hardcoding encryption keys is a bad practice. Instead, use AWS KMS to generate and decrypt DEKs securely at runtime. Here’s how <code>KeyManager</code> handles this:</p> <p>Here's how you can accomplish this in the <a href="https://github.com/MostefaB/column-level-encryption-with-spark/blob/main/glue_job_notebook_test.py#L23-L45" rel="noopener noreferrer">class</a> <code>KeyManager</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">KeyManager</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">kms_client</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">kms_client</span> <span class="o">=</span> <span class="n">kms_client</span> <span class="k">def</span> <span class="nf">generate_data_key</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">key_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bytes</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">kms_client</span><span class="p">.</span><span class="nf">generate_data_key</span><span class="p">(</span><span class="n">KeyId</span><span class="o">=</span><span class="n">key_id</span><span class="p">,</span> <span class="n">KeySpec</span><span class="o">=</span><span class="sh">"</span><span class="s">AES_256</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">CiphertextBlob</span><span class="sh">"</span><span class="p">]</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">err</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to generate data key: </span><span class="si">{</span><span class="n">err</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="k">def</span> <span class="nf">decrypt_data_key</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">encrypted_key</span><span class="p">:</span> <span class="nb">bytes</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bytes</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">response</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">kms_client</span><span class="p">.</span><span class="nf">decrypt</span><span class="p">(</span><span class="n">CiphertextBlob</span><span class="o">=</span><span class="n">encrypted_key</span><span class="p">)</span> <span class="k">return</span> <span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">Plaintext</span><span class="sh">"</span><span class="p">]</span> <span class="k">except</span> <span class="n">ClientError</span> <span class="k">as</span> <span class="n">err</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed to decrypt data key: </span><span class="si">{</span><span class="n">err</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> </code></pre> </div> <p>The <code>generate_data_key()</code> method fetches an encrypted DEK from KMS, while <code>decrypt_data_key()</code> decrypts it for use in encryption tasks. This ensures a secure, scalable, and auditable approach to key management.</p> <h2> Encrypting Columns with ColEncrypt </h2> <p>The ColEncrypt class applies AES encryption to specified columns, using DEKs managed by KeyManager.</p> <h3> <code>encrypt()</code> Method </h3> <p><a href="https://github.com/MostefaB/column-level-encryption-with-spark/blob/main/glue_job_notebook_test.py#L70-L84" rel="noopener noreferrer">This method</a> handles the encryption process:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">ColEncrypt</span><span class="p">:</span> <span class="k">def</span> <span class="nf">encrypt</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">key_manager</span> <span class="o">=</span> <span class="nc">KeyManager</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">kms_client</span><span class="p">)</span> <span class="k">for</span> <span class="n">column</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">columns</span><span class="p">:</span> <span class="n">dek</span> <span class="o">=</span> <span class="n">key_manager</span><span class="p">.</span><span class="nf">generate_data_key</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">key_id</span><span class="p">)</span> <span class="n">decrypted_dek</span> <span class="o">=</span> <span class="n">key_manager</span><span class="p">.</span><span class="nf">decrypt_data_key</span><span class="p">(</span><span class="n">dek</span><span class="p">)</span> <span class="n">dek_b64</span> <span class="o">=</span> <span class="n">b64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">dek</span><span class="p">).</span><span class="nf">decode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">df</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">df</span><span class="p">.</span><span class="nf">withColumn</span><span class="p">(</span> <span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">,</span> <span class="nf">lit</span><span class="p">(</span><span class="n">decrypted_dek</span><span class="p">)</span> <span class="p">).</span><span class="nf">withColumn</span><span class="p">(</span> <span class="n">column</span><span class="p">,</span> <span class="nf">concat</span><span class="p">(</span><span class="nf">lit</span><span class="p">(</span><span class="n">dek_b64</span> <span class="o">+</span> <span class="sh">"</span><span class="s">::</span><span class="sh">"</span><span class="p">),</span> <span class="nf">base64</span><span class="p">(</span><span class="nf">expr</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">aes_encrypt(</span><span class="si">{</span><span class="n">column</span><span class="si">}</span><span class="s">, key)</span><span class="sh">"</span><span class="p">)))</span> <span class="p">).</span><span class="nf">drop</span><span class="p">(</span><span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">df</span> </code></pre> </div> <h4> Key Points </h4> <ol> <li>Base64 Encode Encrypted DEK: <ul> <li>The encrypted DEK is encoded using Base64 for storage as a string.</li> <li>The prefix format is <code>encrypted_dek_b64::encrypted_column_value</code>.</li> </ul> </li> <li>Concatenation with Separator: <ul> <li>The concat function adds the <code>encrypted_dek_b64</code> followed by a separator (<code>::</code>) to the encrypted column value.</li> </ul> </li> <li>Temporary Key Column: <ul> <li>A temporary key column is used to store the decrypted DEK during encryption, and it's dropped afterward.</li> </ul> </li> </ol> <h4> Example Output </h4> <p>For a column named <code>sensitive_column</code>:</p> <ul> <li>Original Value: <code>12345</code> </li> <li>Encrypted Column: <code>ENCRYPTED_DEK_BASE64::ENCRYPTED_VALUE</code> </li> </ul> <h3> Usage Example </h3> <p><a href="https://github.com/MostefaB/column-level-encryption-with-spark/blob/main/glue_job_notebook_test.py#L115-L124" rel="noopener noreferrer">Here’s</a> how you can use ColEncrypt in your Glue job:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">ColEncrypt</span> <span class="kn">import</span> <span class="n">ColEncrypt</span> <span class="c1"># Load the data frame </span><span class="n">df</span> <span class="o">=</span> <span class="n">glueContext</span><span class="p">.</span><span class="n">create_dynamic_frame</span><span class="p">.</span><span class="nf">from_options</span><span class="p">(</span> <span class="n">connection_type</span><span class="o">=</span><span class="sh">"</span><span class="s">s3</span><span class="sh">"</span><span class="p">,</span> <span class="n">connection_options</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">paths</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">s3://your-bucket/your-data.csv</span><span class="sh">"</span><span class="p">]},</span> <span class="nb">format</span><span class="o">=</span><span class="sh">"</span><span class="s">csv</span><span class="sh">"</span><span class="p">,</span> <span class="n">format_options</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">withHeader</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">}</span> <span class="p">).</span><span class="nf">toDF</span><span class="p">()</span> <span class="c1"># Specify columns to encrypt </span><span class="n">kms_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">kms</span><span class="sh">"</span><span class="p">,</span> <span class="n">region_name</span><span class="o">=</span><span class="sh">"</span><span class="s">us-east-2</span><span class="sh">"</span><span class="p">)</span> <span class="n">columns_to_encrypt</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">column_1</span><span class="sh">"</span><span class="p">,...,</span> <span class="sh">"</span><span class="s">column_n</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Initialize and encrypt </span><span class="n">encryptor</span> <span class="o">=</span> <span class="nc">ColEncrypt</span><span class="p">(</span><span class="n">df</span><span class="p">,</span> <span class="n">columns_to_encrypt</span><span class="p">,</span> <span class="sh">"</span><span class="s">alias/your-kms-key</span><span class="sh">"</span><span class="p">,</span> <span class="n">kms_client</span><span class="p">,</span> <span class="sh">"</span><span class="s">arn:aws:iam::123456789012:role/YourRole</span><span class="sh">"</span><span class="p">)</span> <span class="n">encrypted_df</span> <span class="o">=</span> <span class="n">encryptor</span><span class="p">.</span><span class="nf">encrypt</span><span class="p">()</span> </code></pre> </div> <ol> <li>Initialize the <code>ColEncrypt</code> class with your DataFrame, sensitive columns, KMS Key ID, and KMS client or IAM Role if you want Glue to use different credentials to interact with the KMS key.</li> <li>Call the <code>encrypt()</code> method with or without specifying additional columns.</li> </ol> <p>This approach ensures the encrypted DEK is stored alongside the encrypted value, enabling efficient decryption during data processing. You can generate and/or fetch the DEKs from a centralized Key Store as well, which will not be covered in this post.</p> <h2> Decrypting Columns with ColEncrypt </h2> <p>To <a href="https://github.com/MostefaB/column-level-encryption-with-spark/blob/main/glue_job_notebook_test.py#L86-L103" rel="noopener noreferrer">decrypt</a>, extract the DEK from the first row of the encrypted column, decrypt it using KMS, and apply <code>aes_decrypt()</code>.</p> <h3> <code>decrypt()</code> Method </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">ColEncrypt</span><span class="p">:</span> <span class="k">def</span> <span class="nf">decrypt</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="n">key_manager</span> <span class="o">=</span> <span class="nc">KeyManager</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">kms_client</span><span class="p">)</span> <span class="k">for</span> <span class="n">column</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">columns</span><span class="p">:</span> <span class="n">first_row</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">df</span><span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="n">column</span><span class="p">).</span><span class="nf">first</span><span class="p">()</span> <span class="n">dek_b64</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="n">first_row</span><span class="p">[</span><span class="n">column</span><span class="p">].</span><span class="nf">split</span><span class="p">(</span><span class="sh">"</span><span class="s">::</span><span class="sh">"</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="n">encrypted_dek</span> <span class="o">=</span> <span class="n">b64</span><span class="p">.</span><span class="nf">b64decode</span><span class="p">(</span><span class="n">dek_b64</span><span class="p">)</span> <span class="n">decrypted_dek</span> <span class="o">=</span> <span class="n">key_manager</span><span class="p">.</span><span class="nf">decrypt_data_key</span><span class="p">(</span><span class="n">encrypted_dek</span><span class="p">)</span> <span class="n">decrypted_dek_b64</span> <span class="o">=</span> <span class="n">b64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">decrypted_dek</span><span class="p">).</span><span class="nf">decode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="n">df</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">df</span><span class="p">.</span><span class="nf">withColumn</span><span class="p">(</span> <span class="n">column</span><span class="p">,</span> <span class="nf">expr</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">aes_decrypt(unbase64(split(</span><span class="si">{</span><span class="n">column</span><span class="si">}</span><span class="s">, </span><span class="sh">'</span><span class="s">::</span><span class="sh">'</span><span class="s">)[1]), unbase64(</span><span class="sh">'</span><span class="si">{</span><span class="n">decrypted_dek_b64</span><span class="si">}</span><span class="sh">'</span><span class="s">))</span><span class="sh">"</span><span class="p">).</span><span class="nf">cast</span><span class="p">(</span><span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">)</span> <span class="p">)</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">df</span> </code></pre> </div> <h3> Usage Example </h3> <p>Here is an <a href="https://github.com/MostefaB/column-level-encryption-with-spark/blob/main/glue_job_notebook_test.py#L127-L137" rel="noopener noreferrer">example</a> of how you can decrypt a previously encrypted data frame using the same KMS key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">decryptor</span> <span class="o">=</span> <span class="nc">ColEncrypt</span><span class="p">(</span><span class="n">encrypted_df</span><span class="p">,</span> <span class="n">columns_to_encrypt</span><span class="p">,</span> <span class="sh">"</span><span class="s">alias/your-kms-key</span><span class="sh">"</span><span class="p">,</span> <span class="n">kms_client</span><span class="p">)</span> <span class="n">decrypted_df</span> <span class="o">=</span> <span class="n">decryptor</span><span class="p">.</span><span class="nf">decrypt</span><span class="p">()</span> </code></pre> </div> <p>With these methods, you can easily decrypt sensitive data columns for downstream processing or analysis.</p> <h2> Validating Data Integrity </h2> <p>After decryption, <a href="https://github.com/MostefaB/column-level-encryption-with-spark/blob/main/glue_job_notebook_test.py#L140" rel="noopener noreferrer">validate</a> that the original and decrypted data match:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">if</span> <span class="n">original_df</span><span class="p">.</span><span class="nf">subtract</span><span class="p">(</span><span class="n">decrypted_df</span><span class="p">).</span><span class="nf">isEmpty</span><span class="p">()</span> <span class="ow">and</span> <span class="n">decrypted_df</span><span class="p">.</span><span class="nf">subtract</span><span class="p">(</span><span class="n">original_df</span><span class="p">).</span><span class="nf">isEmpty</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Original and decrypted files are identical!</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">Original and decrypted files differ!</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>This step ensures your encryption and decryption workflows are functioning correctly and that no data is lost or altered.</p> <h2> Conclusion </h2> <p>Column-level encryption with AWS Glue, PySpark, and AWS KMS ensures secure data handling. By implementing <code>ColEncrypt</code>, you can streamline encryption and decryption while adhering to best practices for key management. This approach not only secures sensitive data but also provides a scalable, auditable framework for enterprise-grade security.</p> <p>Stay tuned for the last part of this series, where I'll explore secure analytics on encrypted data with Amazon Redshift.</p> aws kms spark security Enhancing Data Security with Spark: A Guide to Column-Level Encryption - Part 1 Mostefa Brougui Fri, 08 Mar 2024 16:26:29 +0000 https://dev.to/aws-builders/enhancing-data-security-with-spark-a-guide-to-column-level-encryption-part-1-1oaa https://dev.to/aws-builders/enhancing-data-security-with-spark-a-guide-to-column-level-encryption-part-1-1oaa <p>This post describes how you can use PySpark <code>aes_encrypt()</code> function to encrypt sensitive columns when ingesting data. It is part of a series that shows how column-level encryption can be deployed at scale using AWS Glue, AWS KMS and Amazon Athena or Amazon Redshift.</p> <h2> Introduction </h2> <p>In an era where data breaches are increasingly common, securing sensitive data is not just a best practice but a necessity. As Werner Vogels, Amazon's CTO, wisely put it: <em>"Dance Like Nobody’s Watching. Encrypt Like Everyone Is."</em> In this series, we explore how to deploy column-level encryption at scale using an integration of PySpark, AWS Glue, AWS KMS, and Amazon Redshift or Amazon Athena.</p> <h2> Why Column-Level Encryption? </h2> <p>Column-level encryption allows for fine-grained control over data access. It's particularly useful in scenarios where different groups require access to specific data subsets. This post serves as an introductory guide, focusing on the implementation of PySpark's aes_encrypt() function for encrypting sensitive data during ingestion.</p> <h2> Setting the Stage </h2> <p>Before diving into the encryption process, it's important to understand the relevant technologies:</p> <ul> <li> <strong>PySpark</strong>: A Python API for Apache Spark, used for large-scale data processing.</li> <li> <strong>AWS Glue</strong>: A serverless data integration service that makes it easy to discover, prepare, and combine data for analytics, machine learning, and application development.</li> <li> <strong>AWS KMS</strong>: AWS Key Management Service, a managed service that makes it easy to create and manage cryptographic keys.</li> <li> <strong>Amazon Athena</strong>: An interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL.</li> <li> <strong>Amazon Redshift</strong>: A fast, fully managed, petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all your data.</li> </ul> <h2> Getting Started </h2> <h3> Prepare Your Environment </h3> <ul> <li>Run a Jupyter Notebook on Docker. <a href="https://towardsdatascience.com/how-to-run-jupyter-notebook-on-docker-7c9748ed209f">Here's how</a>.</li> <li>Clone this repository for sample data and scripts: <a href="https://github.com/MostefaB/column-level-encryption-with-spark">GitHub Link</a>.</li> </ul> <h3> Read Sample Data </h3> <ul> <li>Generate / Upload a CSV file containing a data sample to work with to the notebook. I provide a sample file in the provided GitHub repository: <a href="https://github.com/MostefaB/column-level-encryption-with-spark/blob/main/sample-pci-data.csv">CSV file</a>.</li> <li>Read the sample data using the code below. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">base64</span> <span class="k">as</span> <span class="n">b64</span> <span class="kn">from</span> <span class="n">pyspark.sql</span> <span class="kn">import</span> <span class="n">SparkSession</span> <span class="kn">from</span> <span class="n">pyspark.sql.types</span> <span class="kn">import</span> <span class="o">*</span> <span class="n">spark</span> <span class="o">=</span> <span class="n">SparkSession</span><span class="p">.</span><span class="n">builder</span><span class="p">.</span><span class="nf">appName</span><span class="p">(</span><span class="sh">"</span><span class="s">MyApp</span><span class="sh">"</span><span class="p">).</span><span class="nf">getOrCreate</span><span class="p">()</span> <span class="n">df</span> <span class="o">=</span> <span class="n">spark</span><span class="p">.</span><span class="n">read</span><span class="p">.</span><span class="nf">option</span><span class="p">(</span><span class="sh">"</span><span class="s">header</span><span class="sh">"</span><span class="p">,</span> <span class="bp">True</span><span class="p">).</span><span class="nf">csv</span><span class="p">(</span><span class="sh">"</span><span class="s">sample-pci-data.csv</span><span class="sh">"</span><span class="p">)</span> <span class="n">df</span><span class="p">.</span><span class="nf">show</span><span class="p">()</span> </code></pre> </div> <p>You should see something similar to the below.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>+-------------------+-----------+-------------------+ |First and Last Name| SSN| Credit Card Number| +-------------------+-----------+-------------------+ | Robert Aragon|489-36-8350|4929-3813-3266-4295| | Ashley Borden|514-14-8905|5370-4638-8881-3020| ... only showing top 2 rows </code></pre> </div> <h3> Understanding aes_encrypt() </h3> <p>The aes_encrypt() function in PySpark 3.3 offers AES encryption with various configurations. <a href="https://spark.apache.org/docs/latest/api/python/reference/pyspark.sql/api/pyspark.sql.functions.aes_encrypt.html">Read more about it here</a>.</p> <p>Below is the syntax of the function. It uses AES encryption with 16, 24, or 32-bit keys in ECB, GCM, or CBC modes with appropriate padding. IVs are optional for CBC and GCM modes and are auto-generated if absent. For GCM, optional AAD must match during encryption and decryption. GCM is the default mode.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def aes_encrypt( input: "ColumnOrName", key: "ColumnOrName", mode: Optional["ColumnOrName"] = None, padding: Optional["ColumnOrName"] = None, iv: Optional["ColumnOrName"] = None, aad: Optional["ColumnOrName"] = None, ) -&gt; Column: </code></pre> </div> <p>The following exanple shows the encryption and decryption of the string <code>Spark SQL</code> using the key <code>abcdefghijklmnop</code> which is a 16 characters long = 16 bytes = 128 bits key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">df</span> <span class="o">=</span> <span class="n">spark</span><span class="p">.</span><span class="nf">createDataFrame</span><span class="p">([(</span> <span class="sh">"</span><span class="s">Spark SQL</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">abcdefghijklmnop</span><span class="sh">"</span><span class="p">,)],</span> <span class="p">[</span><span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">key</span><span class="sh">"</span><span class="p">]</span> <span class="p">)</span> <span class="n">df</span><span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="nf">aes_decrypt</span><span class="p">(</span> <span class="nf">unbase64</span><span class="p">(</span><span class="nf">base64</span><span class="p">(</span><span class="nf">aes_encrypt</span><span class="p">(</span><span class="n">df</span><span class="p">.</span><span class="nb">input</span><span class="p">,</span> <span class="n">df</span><span class="p">.</span><span class="n">key</span><span class="p">))),</span> <span class="n">df</span><span class="p">.</span><span class="n">key</span> <span class="p">).</span><span class="nf">cast</span><span class="p">(</span><span class="sh">"</span><span class="s">STRING</span><span class="sh">"</span><span class="p">).</span><span class="nf">alias</span><span class="p">(</span><span class="sh">'</span><span class="s">r</span><span class="sh">'</span><span class="p">)).</span><span class="nf">collect</span><span class="p">()</span> <span class="p">[</span><span class="nc">Row</span><span class="p">(</span><span class="n">r</span><span class="o">=</span><span class="sh">'</span><span class="s">Spark SQL</span><span class="sh">'</span><span class="p">)]</span> </code></pre> </div> <h3> Generating an Encryption Key </h3> <ul> <li> <p>Use AWS KMS's <code>GenerateDataKey</code> API for a robust key generation. This requires an existing KMS key.</p> <ul> <li>To generate the key using the AWS CLI <code>generate-data-key</code> command, use the example shown below. Make sure to replace <code>AWS_PROFILE</code> and <code>KMS_KEY_ID</code> with the correct values. </li> </ul> <pre class="highlight shell"><code>aws kms generate-data-key <span class="nt">--profile</span> AWS_PROFILE <span class="nt">--key-id</span> KMS_KEY_ID <span class="nt">--key-spec</span> AES_256 </code></pre> <p>The response shown below contains the key in <code>Plaintext</code> base64-encoded format and in encrypted (<code>CiphertextBlob</code>) format.<br> </p> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"CiphertextBlob"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AQIDAHjhvhi8z21Psjp5qjRibLXgHGkMMP/BmNWdIKTuZnLdNwHHYQjpmQo0oyk5rk07mjZTAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM6uOfZ7iyJ2UztfidAgEQgDuFQ5fajsvnhfaCmN/q8kk1JinY7gHqT/Bz9W3RxqkEv5ggPZKELcQtqNbRYdEzSwKPDTs+Grp0RtRqWw=="</span><span class="p">,</span><span class="w"> </span><span class="nl">"Plaintext"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tEZPizBEj5EG5IDY1SvAECa5yZa5fVP1SrJGsGimx9I="</span><span class="p">,</span><span class="w"> </span><span class="nl">"KeyId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"KMS_KEY_ID"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> <ul> <li>If you generate the data key using boto3 <code>kms</code> client, you will get a byte string, similar to <code>b"\xc27~\x15\xc7\x9a\x8a|\xb48\\\xd7\x894g-v\xac\xb5\n%\x17\x96g\xab\x88\x8a;|bU/"</code>. This value can be used as-is with the <code>aes_encrypt()</code> function.</li> </ul> </li> <li><p>Alternatively, derive a key from a string using <a href="https://www.ietf.org/rfc/rfc2898.txt">PBKDF2</a>. (<a href="https://github.com/MostefaB/column-level-encryption-with-spark/blob/main/key_derivation_pbkdf2.py">Link to code sample</a>)</p></li> </ul> <h3> Encrypting Sensitive Columns </h3> <p>We'll encrypt the "SSN" and "Credit Card Number" columns as shown below.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">encryption_key</span> <span class="o">=</span> <span class="sh">"</span><span class="s">tEZPizBEj5EG5IDY1SvAECa5yZa5fVP1SrJGsGimx9I=</span><span class="sh">"</span> <span class="c1"># Decode the key from Base64 </span><span class="n">decoded_key</span> <span class="o">=</span> <span class="n">b64</span><span class="p">.</span><span class="nf">b64decode</span><span class="p">(</span><span class="n">encryption_key</span><span class="p">)</span> <span class="c1"># Encrypt two columns at the "same time" using the same key </span><span class="n">df_encrypted</span> <span class="o">=</span> <span class="n">df</span><span class="p">.</span><span class="nf">withColumn</span><span class="p">(</span><span class="sh">'</span><span class="s">SSN_Encrypted</span><span class="sh">'</span><span class="p">,</span> <span class="nf">base64</span><span class="p">(</span><span class="nf">expr</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">aes_encrypt(SSN, unhex(</span><span class="sh">'</span><span class="si">{</span><span class="n">decoded_key</span><span class="p">.</span><span class="nf">hex</span><span class="p">()</span><span class="si">}</span><span class="sh">'</span><span class="s">), </span><span class="sh">'</span><span class="s">GCM</span><span class="sh">'</span><span class="s">)</span><span class="sh">"</span><span class="p">)))</span>\ <span class="p">.</span><span class="nf">withColumn</span><span class="p">(</span><span class="sh">'</span><span class="s">CreditCardNumber_Encrypted</span><span class="sh">'</span><span class="p">,</span> <span class="nf">base64</span><span class="p">(</span><span class="nf">expr</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">aes_encrypt(Credit_Card_Number, unhex(</span><span class="sh">'</span><span class="si">{</span><span class="n">decoded_key</span><span class="p">.</span><span class="nf">hex</span><span class="p">()</span><span class="si">}</span><span class="sh">'</span><span class="s">), </span><span class="sh">'</span><span class="s">GCM</span><span class="sh">'</span><span class="s">)</span><span class="sh">"</span><span class="p">)))</span> <span class="n">df_encrypted</span><span class="p">.</span><span class="nf">show</span><span class="p">(</span><span class="n">truncate</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="c1"># +----------------+-----------+-------------------+--------------------+--------------------------+ # | First_Last_Name| SSN| Credit_Card_Number| SSN_Encrypted|CreditCardNumber_Encrypted| # +----------------+-----------+-------------------+--------------------+--------------------------+ # | Robert Aragon|489-36-8350|4929-3813-3266-4295|HI39DkVYN9WLTWAH3...| XqvsWgRty1CBkJ7c9...| # | Ashley Borden|514-14-8905|5370-4638-8881-3020|5ME9bErsff7Zhzw5z...| mhizKvf5053KqStxp...| # ... # only showing top 2 rows </span> <span class="c1"># Output path to store the new CSV </span><span class="n">output_path</span> <span class="o">=</span> <span class="sh">"</span><span class="s">./encrypted/sample-pci-data-encrypted.csv</span><span class="sh">"</span> <span class="n">df_encrypted</span><span class="p">.</span><span class="n">write</span><span class="p">.</span><span class="nf">csv</span><span class="p">(</span><span class="n">path</span><span class="o">=</span><span class="n">output_path</span><span class="p">,</span> <span class="n">mode</span><span class="o">=</span><span class="sh">"</span><span class="s">overwrite</span><span class="sh">"</span><span class="p">,</span> <span class="n">header</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">sep</span><span class="o">=</span><span class="sh">"</span><span class="s">,</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Decryption Process </h3> <p>Here's how you can decrypt the data using the same key.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">df</span> <span class="o">=</span> <span class="n">spark</span><span class="p">.</span><span class="n">read</span><span class="p">.</span><span class="nf">option</span><span class="p">(</span><span class="sh">"</span><span class="s">header</span><span class="sh">"</span><span class="p">,</span> <span class="bp">True</span><span class="p">).</span><span class="nf">csv</span><span class="p">(</span><span class="sh">"</span><span class="s">encrypted/sample-pci-data-encrypted.csv</span><span class="sh">"</span><span class="p">)</span> <span class="n">df</span><span class="p">.</span><span class="nf">show</span><span class="p">()</span> <span class="n">df_decrypted</span> <span class="o">=</span> <span class="n">df</span><span class="p">.</span><span class="nf">withColumn</span><span class="p">(</span><span class="sh">'</span><span class="s">SSN_Decrypted</span><span class="sh">'</span><span class="p">,</span> <span class="nf">expr</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">aes_decrypt(unbase64(SSN_Encrypted), unhex(</span><span class="sh">'</span><span class="si">{</span><span class="n">decoded_key</span><span class="p">.</span><span class="nf">hex</span><span class="p">()</span><span class="si">}</span><span class="sh">'</span><span class="s">), </span><span class="sh">'</span><span class="s">GCM</span><span class="sh">'</span><span class="s">)</span><span class="sh">"</span><span class="p">).</span><span class="nf">cast</span><span class="p">(</span><span class="sh">"</span><span class="s">STRING</span><span class="sh">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">withColumn</span><span class="p">(</span><span class="sh">'</span><span class="s">CC_Decrypted</span><span class="sh">'</span><span class="p">,</span> <span class="nf">expr</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">aes_decrypt(unbase64(CreditCardNumber_Encrypted), unhex(</span><span class="sh">'</span><span class="si">{</span><span class="n">decoded_key</span><span class="p">.</span><span class="nf">hex</span><span class="p">()</span><span class="si">}</span><span class="sh">'</span><span class="s">), </span><span class="sh">'</span><span class="s">GCM</span><span class="sh">'</span><span class="s">)</span><span class="sh">"</span><span class="p">).</span><span class="nf">cast</span><span class="p">(</span><span class="sh">"</span><span class="s">STRING</span><span class="sh">"</span><span class="p">))</span> <span class="c1"># +----------------+-----------+-------------------+--------------------+--------------------------+ # | First_Last_Name| SSN| Credit_Card_Number| SSN_Encrypted|CreditCardNumber_Encrypted| # +----------------+-----------+-------------------+--------------------+--------------------------+ # | Robert Aragon|489-36-8350|4929-3813-3266-4295|Ft4y7DmP8xN8QtdHn...| 4f7Usr2dvVWbG26Bd...| # | Ashley Borden|514-14-8905|5370-4638-8881-3020|nsdeq//on5T/L64Ow...| 8LN7pIP1pa7Nmoma1...| # only showing top 2 rows </span> <span class="c1"># +----------------+-----------+-------------------+--------------------+--------------------------+-------------+-------------------+ # | First_Last_Name| SSN| Credit_Card_Number| SSN_Encrypted|CreditCardNumber_Encrypted|SSN_Decrypted| CC_Decrypted| # +----------------+-----------+-------------------+--------------------+--------------------------+-------------+-------------------+ # | Robert Aragon|489-36-8350|4929-3813-3266-4295|Ft4y7DmP8xN8QtdHn...| 4f7Usr2dvVWbG26Bd...| 489-36-8350|4929-3813-3266-4295| # | Ashley Borden|514-14-8905|5370-4638-8881-3020|nsdeq//on5T/L64Ow...| 8LN7pIP1pa7Nmoma1...| 514-14-8905|5370-4638-8881-3020| # only showing top 2 rows </span></code></pre> </div> <h2> Conclusion </h2> <p>In this post, I walked through the steps of encrypting and decrypting sensitive data columns using PySpark in a Jupyter Notebook. This setup serves as a foundational step towards a more complex and scalable data ingestion and consumption model, which I'll explore in upcoming posts, including the integration of AWS Glue and AWS KMS.</p> <p><strong>Stay tuned for further insights on scaling this approach and managing encryption keys with AWS KMS!</strong></p> aws spark encryption dataprotection