How to implement Custom Data Encryption/Decryption Functions/Procedures in apoc for Client Confidential Information

Please keep the following things in mind:

  1. did you search for what you want to ask before posting?
  2. please use tags for additional info
  3. use a self-descriptive title

Please format code + Cypher statements with the code </> icon, it's much easier to read.

Please provide the following information if you ran into a more serious issue:

  • neo4j version, desktop version, browser version
  • what kind of API / driver do you use
  • screenshot of PROFILE or EXPLAIN with boxes expanded (lower right corner)
  • a sample of the data you want to import
  • which plugins / extensions / procedures do you use
  • neo4j.log and debug.log

What is your actual question?

If we have sensitive data of person like Credit Card Details, Password, Social Security Number etc, As per some compliance policy we need to mask the data or encrypt the data at database. Neo4j not having features to achieve this. In RDMS Database like MS SQL and Oracle we have build in features. As per neo4j we need to take care by implementing application layer encryption/decryption logic. So to achieve this we can do this apoc user defined function or procedures. I want to understand how achieve this.

You can write a TransactionEventHandler (see e.g. https://maxdemarzi.com/2015/03/25/triggers-in-neo4j/) that encrypts certain properties.
However the tx event handlers do not fire when you read data, so you don't have an easy way to decrypt it.

Therefore I think it's better to implement this on application layer.

On approach would be using SDN/OGM. There's e.g. a blog post https://neo4j.com/blog/neo4j-data-encryption-ogm/ doing this with SDN/OGM. Take care - the blog post does use an older version of SDN/OGM.

@stefan.armbruster : Need your input on following approach

  1. Download the apoc code from github : https://github.com/neo4j-contrib/neo4j-apoc-procedures
  2. Write two custom function one for encryption and another for decryption for sensitive applications.
  3. Build the APOC JAR file and place in neo4j server instance.
  4. Currently using python based client application to ingest the data and manipulate the data.
  5. Integrate the apoc to python client application.
  6. Call the apoc encrypt and decrypt function in python client application to work with sensitive information.

Please provide your review on feasibility of solution.

Thank You.
Ram.

Sounds feasible. However I'd prefer to create a seperate project for your two functions. Then just deploy APOC and your project to your plugins folder.