㊙️ Data obfuscation

Obfuscate sensitive date using a private key known only to the user.

Sensitive information collected as payloads can be obfuscated during instrumentation by simply including optional configurations when initializing Helios.
Obfuscation is done using a private key chosen by and known only to the user. The data is hashed with an irreversible function.
Some users may choose to use an allowlist approach to control what data is obfuscated, while others might opt for a blocklist approach. Both are supported by the Helios SDK.

Enabling data obfuscation via environment variables

Configure the following environment variables, where your service is running:

# Note that none or only one of the following two can be configured.
# If both are omitted, the default behavior is like with an empty allowlist.
# In docker-compose.yml files, the dollar sign might also need to be escaped.
HS_DATA_OBFUSCATION_ALLOWLIST=[\"$.collection\",\"$.metadata.*\",\"$.users[*].id\"]
HS_DATA_OBFUSCATION_BLOCKLIST=[\"$.collection\",\"$.metadata.*\",\"$.users[*].id\"]
HS_DATA_OBFUSCATION_HMAC_KEY=12345

Enabling data obfuscation via code

Configure the following parameters in Helios' initialize function:

initialize({
    ...,
    dataObfuscation: {
        // Replace with your private key.
        hmacKey: '12345',
        // Replace with JSONPath expressions that match your DTOs (data transfer objects).
        // Note that none or only one of the following two can be configured.
        // If both are omitted, the default behavior is like with an empty allowlist.
        allowlist: [
            '$.collection',
            '$.metadata.*',
            '$.users[*].id'
        ],
        blocklist: [...]
    }
});
initialize(
    ...,
    # Replace with your private key.
    data_obfuscation_hmac_key='12345',
    # Replace with JSONPath expressions that match your DTOs (data transfer objects).
    # Note that none or only one of the following two can be configured.
    # If both are omitted, the default behavior is like with an empty allowlist.
    data_obfuscation_allowlist=[
        '$.collection',
        '$.metadata.*',
        '$.users[*].id',
        ('$.type', 'unclassified')
    ],
    data_obfuscation_blocklist=[...]
)

HMAC key

Choose a private key that is used by the hash function when obfuscating data.
Each node (i.e. leaf) in the service's DTOs is replaced by the first 8 characters of its hash, before the SDK exports the span to Helios.
For example: { name: 'John Smith' } is replaced with { name: '2d3ab0b7' }.
Numbers and strings are obfuscated, while undefined, null/None and boolean values are not changed.
The same key always generates the same hash for the same value, but different keys generate different hashes for the same value.


Did this page help you?