Outbound Relay Response Encryption: An Explainer

Relay ensures that data sent to your infrastructure is automatically encrypted, so you never have to handle it in plaintext. You can send this data through our egress proxy, Outbound Relay, to be decrypted within E3 and sent to a trusted third party.

Until now, Outbound Relay has returned the responses from these third parties. However, this poses a problem when they respond with sensitive information that needs to be encrypted before reaching your infrastructure. To circumvent this limitation, we advised customers to set up another Relay to encrypt fields in the response or set up a cage to do the decryption, request and subsequent encryption of the response.

We recognised early on that this was an inelegant process and have developed response encryption to better solve the problem. Our Encryption Manifesto outlines our belief that implementing encryption should be a frictionless process for developers. We now support response encryption for Outbound Relay, bringing us closer to that goal.

With Outbound Relay, you can register the domains that may return sensitive information and configure what fields you want to encrypt in the responses from those domains. When Outbound Relay receives a response, it will look for response encryption rules that match the domain name of the original request. It will then send these rules along with the response to E3, which encrypts it before returning to your application.

You will not have to change any of your existing code if you have already integrated with our SDKs. Response encryption rules will be applied automatically based on how you configure Outbound Relay within the dashboard.

By creating encryption and decryption flows that are simple to integrate, we hope to eliminate the impact of data breaches.