Changelog

Alerting Updates

Welcome to Part 2 of 'staying on top of any errors that occur in your system'.

Firstly, you can now configure Evervault to send alerts for both Cages and Relays. We've also expanded our third-party integration support to include Discord as well as Slack. If you need to control the flavour of error that you'd like to receive via an alert (4XX, 5XX), this is also configurable within the dashboard. Lastly, we've added custom webhook support for those of you who prefer to handle your workflow programatically.

We've included more information on alerts in the docs

Encrypting credit card data just got a lot easier

With Evervault Inputs we’re making it easier than ever to become PCI compliant.

This functionality, embedded within our JavaScript and React SDKs, makes it easy to collect encrypted cardholder data in a completely PCI-compliant environment.

Evervault Inputs are served within an iFrame retrieved directly from Evervault’s PCI-compliant infrastructure, which can reduce your PCI DSS compliance scope to the simplest form (SAQ-A) once integrated correctly.

It’s as easy as specifying the ID of the element in which the iFrame should be embedded.

Get started with Evervault Inputs →

Introducing the Evervault Java SDK

Evervault is continuously expanding and improving the developer experience of the platform, and supporting an ever expanding ecosystem of programming languages with SDKs is one of our top priorities.

We are delighted to now provide full support for the Evervault platform with Java. Using the Java SDK developers can now encrypt data, proxy requests through Relay, and interact with Cages.

Check out our Java SDK docs.

New Slack integration for Relay

It’s important to stay on top of any errors that occur in your system. With that in mind, we’ve just shipped our first alert feature. You can now configure a Slack channel to receive alerts when your Relay encounters an error. You will now know in real time if an inbound request from your client fails before it reaches your app.

See issues that matter and triage them accordantly!

We are working on adding support for Cages alerts next, and adding new destinations so you can keep on top of alerts from your favourite app.

To set up alerts in the Dashboard, go to Relay -> Alerts -> Setup Slack Channel

Introducing support for NIST P-256 curves

With this update we are adding support to the secp256r1 curve — also known as NIST P-256 or prime256v1. Relay already supports secp256k1 (koblitz) curves, but now we’re providing our users with the choice so they can decide which curve they want to use.

Our SDKs will continue to default to the secp256k1 curve, but please follow our Python SDK and NodeJS SDK guides to learn how to change your curve.

For more in-depth information about elliptic curves and its differences, please refer to our documentation on elliptic curves.

Introducing Cage IP Whitelist

By default, your Cages can be run by any client with a valid API key, but you may want to have additional control over where your Cage can be run from.

You can now restrict your Cage to only accept invocations from a predefined set of IPs. Define a list of IP addresses and/or CIDR blocks to accept in the Evervault dashboard.

If a Cage run is requested from outside of your whitelist, the invocation will be rejected with a status code of 403, or a ForbiddenIPError in our Node & Python clients.

You can read more about Cage IP whitelisting in our docs & can get started by going to Dashboard → Cage → IP Whitelist.

Outbound Destinations

Outbound Relay traffic passes through Evervault’s proxy and is decrypted before going to trusted destinations like Stripe or Twilio. We’ve added the ability to put a hard constraint on what destinations data should be forwarded to.

When you start configuring Outbound Destinations for a team, any request to a domain not in the list will be blocked whether it contains encrypted data or not.

You can now start restricting your Outbound Destinations in the Evervault Dashboard: Settings → Outbound Destinations → Configure Destinations

Encrypted Environment Variables

Environment variables are helpful when storing strings such as node environments and API URLs. But, it can also contain values best kept secret like database passwords.

We just released new functionality that allows you to securely store secret environment variables. You can now choose to make your environment variables secret at creation.

By choosing this new option, your environment variables will be masked in the Evervault dashboard and CLI.

You can access the feature in the Evervault Dashboard: Cage → Environment Variables → Create variable

Announcing Relay latency tracking

We know that latency is a core consideration when implementing Evervault Relay, so we’re delighted to be releasing our new latency reporting functionality today.

For every request your users send through Relay, we measure and record the latency between Evervault’s infrastructure and your infrastructure. The charting functionality in the Dashboard allows you to analyze latency at various percentiles, making it easier for you to make latency commitments to your own users.

Application performance is a major priority for us in every engineering decision that we make, so we’re excited about this first step in holding ourselves accountable for improving your infrastructure’s performance.

Introducing Relay Activity charts

We are happy to announce charting for Relay requests. The goal is to help make traffic data more digestible, so it’s easier to monitor trends over time, see spikes in traffic, and identify any possible bottlenecks.

With the new charting capabilities, users are also able to filter by HTTP code (e.g. 2XX, 3XX, 4XX, 5XX) or any search term — because when you filter for logs the chart is also updated to reflect your search.

This is the first of a series of improvements we are making to help users better understand traffic behaviour, and get better insights from their data. Stay tuned!

Documentation Overhaul

This month, we overhauled the Evervault documentation. We rewrote and reprioritised content, improved navigation and discoverability and reworked the landing page. Overall, it’s a big plus for developer experience. Within the coming months, we’ll also be adding technology-specific user guides to cater to the growing number of Evervault use cases; so keep an eye out for your stack.

Check out the new and improved Evervault documentation at docs.evervault.com.

Improved error logging for Relay

Evervault Relay accepts connections from your users, encrypts sensitive data fields and then connects to your API and transmits the encrypted data over TLS. Occasionally, errors can occur between your user and Relay or between Relay and your API. These errors can often be difficult to debug without verbose request logs.

We just released new functionality that surfaces underlying system errors to developers, so you can quickly identify issues in your system. The errors displayed are bubbled up directly from our underlying HTTPS implementation and include details on things like TLS handshake errors, socket hangups and network timeouts.

You can access the feature by navigating to Relay → Activity Logs in the Evervault Dashboard.

Coming soon: get notified about unusual events and error spikes by e-mail, SMS, PagerDuty or Slack.

Mutual TLS Support

Evervault Relay communicates directly with your API over Transport Layer Security (TLS). Your API may be configured to require client-side TLS authentication. This is known as Mutual TLS (or mTLS).

We just released a new feature that allows you to upload an mTLS certificate to authenticate the connection between Relay and your API.

We also allow you to upload password-protected certificates for added security.

Enabling mTLS between Relay and your API means that you can block any requests that are not routed through Evervault, preventing you from accidentally collecting plaintext sensitive data as well as giving you the ability to reject clients that are not protected by Relay's network-level security capabilities.

You can access the feature by navigating to Relay → Configuration → Mutual TLS Certificates in the Evervault Dashboard.

Configure Relay from Traffic

Evervault automatically encrypts sensitive data at the field-level. Developers specify the routes and fields they want to encrypt, then requests are encrypted before ever entering your app. Straightforward, right?

Well, we've just shipped a feature that makes this process even more intuitive. Developers can now configure encrypted fields directly from existing Relay traffic.

When you choose a request from the last 24 hours, we'll build an interactive map of the JSON payload, allowing you to quickly select any fields you'd like to encrypt.

You can access the feature Relay → Encrypted Fields → Configure using Relay's Traffic.

The feature also supports JSONPath and Wildcards for URL Parameters!

Relay Response Encryption

Fancy name, what’s that?

Well…

When a request is sent through an Evervault Relay, some fields are encrypted — as defined by you in the Evervault Dashboard. This payload (which is a mixture of plaintext and ciphertext) is sent to the Relay’s pre-configured destination — your API — which you also define in the Dashboard.

The response from the target may, in some cases, contain encrypted data.

To ensure client-side applications (e.g. web browsers, phones, etc) do not render encrypted data to your users, Relay will decrypt any Evervault encrypted strings before they are shown in your UI.

Of course, some data is so sensitive that it must also be masked from clients. Common use cases of this include payment credentials, banking information, and application secrets.

To support this, Relay can now be configured in a new mode.

When a request is sent through Relay, any fields configured to be encrypted will now be encrypted on the response from Relay’s target — not the request to it.

This mode can be used to retrieve sensitive data from your own or third party APIs, masked as encrypted data and shown to your users!

New Onboarding Experience

Over the last number of weeks, we've been rolling out a new onboarding experience for first-time Evervault users. The feature is a contextual tutorial that allows users to send JSON data through a configurable Sandbox Relay and watch as it gets encrypted in realtime. Why? Better onboarding which decreases time-to-first-encryption will improve user proficiency and retention.

Sandbox Relays which are created during onboarding can be accessed via your Dashboard — just in case you ever need to reacquaint yourself with Relay or test a new encrypted payload structure.

To access the new onboarding experience, just create a new account with Evervault.

New region, new guides, and CI pipeline deployment

This week we are introducing new guides (and improving the old ones) in our Dashboard, so it’s easier to get started with Relay and Cages. Some of the new guides include:

• How Relay works
• Running Relay with your local server
• Using outbound interception with our SDKs
• How to run and deploy your Cage

On the product side, the changes made include:

• The ability to deploy Cages using your CI pipeline
• The ability run Relay with your local server
• E3, Relay, and Cages being deployed in Western Europe
• Improved reliability of team creations and deletions in our Dashboard

In addition, we have reduced the bundle size of our dashboard from 2.63 MB to 1.95 MB (25% smaller), so it should be a lot faster to load! We will continue to improve this further.

As always, lots of small bugs were fixed and performance improvements across the board.

Relay and Cages 1.0

Relay and Cages are live. Both are built on the Evervault Encryption Engine (E3).

E3 is a what all Evervault products and services will be built on, and is where all cryptographic operations will happen. E3 is built on AWS Nitro Enclaves — fully isolated, hardened, and highly constrained virtual machines that have no persistent storage, no interactive access, and no external networking.

Relay makes it easy for developers to automatically encrypt sensitive data at the field-level before it enters their app, and decrypt it as it leaves.

Cages are isolated serverless functions hosted on Evervault for processing the data encrypted with Relay.