Skip to main content

Unredact Records

Learn how to recover encrypted audit log values redacted with Format Preserving Encryption (FPE)

You can use the integration with the Redact service to redact Secure Audit Log records. When you enable FPE Redaction in the Redact configuration used in Secure Audit Log, logs redacted with FPE can be decrypted to their original values.

Unredact request

You can use the Redact /v1/unredact endpoint to decrypt data redacted with FPE.

Use the same Redact configuration as that was applied to redact the data. Copy the Default Token, Config ID, and Domain values from the Redact Overview page in the Pangea User Console, and use them in your call to the /v1/unredact endpoint.

export PANGEA_DOMAIN="aws.us.pangea.cloud"
export PANGEA_REDACT_TOKEN="pts_s2ngg2...hzwafm"
export PANGEA_REDACT_CONGIG_ID="pci_4ku3oviu6bpjsghhpch5hw2l564myecx"

Make a request to the /v1/unredact endpoint in your Pangea project domain. Use the Redact service token to authorize the request.

Provide the following parameters:

  • redacted_data - The redacted text with encrypted values.

    The redacted text is returned under result.redacted_text in the response from the /v1/redact endpoint when you use the Redact APIs directly.

  • fpe_context - The value needed to decrypt data redacted with FPE.

    To decrypt the original values redacted with FPE, you need the context in which the original text was redacted.

    When you use the Redact /v1/redact endpoint APIs directly, the entire context is returned as an opaque value under result.fpe_context in the response.

  • config_id - The Redact service configuration ID.

    The Redact service can have multiple configurations.

    If you use the same token for multiple service configurations, the token alone is not sufficient to determine which configuration you are requesting. In this case, you MUST specify a configuration ID when calling the service APIs. Otherwise, you will receive an AmbiguousConfigID error.

Audit log FPE context

The fpe_context required to unredact log data is attached to each audit record redacted with FPE and is specific to that record. You can get the fpe_context value from the results returned from the Secure Audit Service /v1/search API endpoint by setting the return_context parameter to true.

Example

Enable FPE redaction in Secure Audit Log

Enable FPE redaction and select the fields you want to redact with FPE, as described in the Redact Records documentation. For example, enable FPE redaction on the actor field:

Enable FPE redaction on the actor field in Secure Audit Log Redact Records page in the Pangea User Console
Enable FPE redaction on actor

Enable the Format Preserving Encryption (FPE) redaction method for the Email Address (EMAIL_ADDRESS) and Location (LOCATION) rules, as described in the Redact Rulesets configuration docs:

Select the FPE redaction method for the Email Address and Location rules on the Redact Rulesets page in the Pangea User Console

Select the FPE redaction method for Email Address and Location

Log an event

export PANGEA_DOMAIN="aws.us.pangea.cloud"
export PANGEA_AUDIT_TOKEN="pts_v3cb4s...u4jnej"
export PANGEA_AUDIT_CONFIG_ID="pci_k4scvz7mkp2o6pz5fwfx5fihdv4rxoi6"
export PANGEA_REDACT_TOKEN="pts_s2ngg2...hzwafm"
export PANGEA_REDACT_CONFIG_ID="pci_vm7kmflvlfk5dxngfbvhxp5cokw4ona7"
POSTAudit /v1/log
curl --location "https://audit.$PANGEA_DOMAIN/v1/log" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $PANGEA_AUDIT_TOKEN" \
--data-raw '{
  "config_id": "'"$PANGEA_AUDIT_CONFIG_ID"'",
  "event": {
    "message": "Security for the containment units on Isla Nublar, Costa Rica, has been updated.",
    "actor": "dennis.nedry@ingens.com",
    "action": "Update",
    "new": "off",
    "old": "on"
  }
}'
Audit /v1/log response
{
  "status": "Success",
  "summary": "Logged 1 record(s)",
  "result": {
    "hash": "a82fefc842412c4e8d3b6c912e1a002e29588768eccc7505be860e6e61eb0982"
  },
  ...
}

Search for audit records

Use the Secure Audit Log /v1/search endpoint to search for audit records. Remember to include the return_context parameter populated with true to include the FPE context in the response:

POSTAudit /v1/search
curl --location "https://audit.$PANGEA_DOMAIN/v1/search" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $PANGEA_AUDIT_TOKEN" \
--data '{
  "config_id": "'"$PANGEA_AUDIT_CONFIG_ID"'",
  "return_context": true
}'
note

The response from the /v1/search endpoint might be asynchronous and return a location for polling results:

Audit /v1/search async response
{
  "status": "Accepted",
  "summary": "Your request is in progress. Use 'result, location' below to poll for results. See https://dev.pangea.cloud/docs/api/async?service=audit&request_id=prq_2qngfew2zd54nwxsswkbxstjshkqhvso for more information.",
  "result": {
    "location": "https://audit.us.dev.pangea.cloud/request/prq_2qngfew2zd54nwxsswkbxstjshkqhvso",
    ...
  },
  ...
}

Poll the URL returned in result.location until the response status changes from "Accepted" to "Success" or until a failure is reported:

GETAudit /v1/search
curl --location "<result.location>" \
--header "Authorization: Bearer $PANGEA_AUDIT_TOKEN"

When successful, the response will include the search results. Note the encrypted content in the result.events[0].envelop.event.actor value and the result.events[0].fpe_context value associated with this event:

/v1/search response
{
  "status": "Success",
  "summary": "Found 1 event(s)",
  "result": {
    "id": "pas_akduwgfk5366bm36xpxfygm5rhaszawn",
    "count": 1,
    "events": [
      {
        "envelope": {
          "event": {
            "message": "Security for the containment units on 02YU uTrcKO, GjMd6 51ZV, has been updated.",
            "actor": "jrzW0G.X9hUa@9fJR7Y.Yq9",
            "action": "Update",
            "new": "off",
            "old": "on"
          },
          ...
        },
        "fpe_context": "eyJhIjogIkFFUy1GRjMtMS0yNTYtQkVUQSIsICJ0IjogIndubHg3U2oiLCAibSI6IFt7ImEiOiAzLCAicyI6IDAsICJlIjogMjMsICJrIjogImFjdG9yIn0sIHsiYSI6IDMsICJzIjogMzgsICJlIjogNDksICJrIjogIm1lc3NhZ2UifSwgeyJhIjogMywgInMiOiA1MSwgImUiOiA2MSwgImsiOiAibWVzc2FnZSJ9XSwgImsiOiAicHZpX3FxcTNndXRocm14ZXk1c3BuZ3RzZ3N2cGt6NWFqbHZhIiwgInYiOiAxLCAiYyI6ICJwY2lfaXJzM2Jva2p1dGpyYXN0aXc0azNrN3RqemY2dDYydHEifQ==",
        ...
      },
    ],
    ...
  },
  ...
}

Unredact audit record

Use the Redact /v1/unredact endpoint to decrypt data redacted with FPE.

In your API call, provide result.events[<index>].fpe_context and the stringified content of result.events[<index>].envelope.event from the event data in the response from /v1/search:

POSTRedact /v1/unredact
curl --location "https://redact.$PANGEA_DOMAIN/v1/unredact" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer $PANGEA_REDACT_TOKEN" \
--data-raw '{
  "config_id": "'"$PANGEA_REDACT_CONFIG_ID"'",
  "redacted_data": {"message":"Security for the containment units on 02YU uTrcKO, GjMd6 51ZV, has been updated.","actor":"jrzW0G.X9hUa@9fJR7Y.Yq9","action":"Update","new":"off","old":"on"},
  "fpe_context": "eyJhIjogIkFFUy1GRjMtMS0yNTYtQkVUQSIsICJ0IjogIndubHg3U2oiLCAibSI6IFt7ImEiOiAzLCAicyI6IDAsICJlIjogMjMsICJrIjogImFjdG9yIn0sIHsiYSI6IDMsICJzIjogMzgsICJlIjogNDksICJrIjogIm1lc3NhZ2UifSwgeyJhIjogMywgInMiOiA1MSwgImUiOiA2MSwgImsiOiAibWVzc2FnZSJ9XSwgImsiOiAicHZpX3FxcTNndXRocm14ZXk1c3BuZ3RzZ3N2cGt6NWFqbHZhIiwgInYiOiAxLCAiYyI6ICJwY2lfaXJzM2Jva2p1dGpyYXN0aXc0azNrN3RqemY2dDYydHEifQ=="
}'

The response from the /v1/unredact endpoint will include the count of unredacted entries and the original data with decrypted values where the FPE redaction was applied, found under the result.data key:

/v1/unredact response
{
  "status": "Success",
  "summary": "Success. Unredacted 3 item(s) from items",
  "result": {
    "data": {
      "message": "Security for the containment units on Isla Nublar, Costa Rica, has been updated.",
      "actor": "dennis.nedry@ingens.com",
      "action": "Update",
      "new": "off",
      "old": "on"
    }
  },
  ...
}

Was this article helpful?

Contact us