Passing sensitive data from workflow to activity

In our application, a workflow begins with a user JWT, which is used to orchestrate activities on behalf of the user across micro-services.

Calls to the individual micro-services will be in activities, requiring that the JWT be passed from the workflow worker to Temporal to the activity worker, thus resulting in user credentials being stored in the Temporal DB.

It is also possible that some micro-service calls will involve Personal Health Information (PHI), which cannot be stored in plain text at any time.

What is the right way to address this situation in Temporal? Can you comment on the security in Temporal around the handling of sensitive information (i.e. protecting customer data from developers)?

One option could be to configure the temporal DB to encrypt all data.

  • Is this possible?
  • As 99% of the data being passed around is nonsensitive, this seems like a lot of overhead, but you have to do something for that last 1%…

Another option could be to deploy a separate microservice for storing secure data

  • The workflow makes a direct call (not through activity) to the service to store the secure data and get the lookup key
  • The workflow passes the key to the activity
  • The activity looks up the secure data and does its job
  • The activity can use the same service to pass secure data back to the workflow
  • Issue: now the workflow is making direct calls to other services and is more vulnerable to network failures

Is there an out-of-the-box option we can use instead? :slight_smile: :unicorn:

We recommend SDK side encryption for all sensitive information.

Both Java and Go SDKs rely on a pluggable DataConverter interface to perform serialization and deserialization of workflow and activity arguments and results. Implement your own DataConverter that encrypts data using whatever library and certificate management solution you prefer. This way the service will never receive any of your data in clear text and no DB level encryption is needed.