Encrypting sensitive data in the AI chat

Note: The content in this section applies to the AI chat. If you want to deploy a specific AI assistant, refer to the Deploying your AI assistant section.

Add another level of encryption to hide sensitive data from your users that you want to send to Orchestrate.

Use this method to encrypt sensitive information that come from your website, such as information about a customer's personal information, a user ID, or security tokens to use in webhooks that you call from actions. Information passed to your assistant in this way is stored in a private context variable, and shown in skills if they are configured with the x-ibm-skill-headers property. The private variables cannot be seen by customers and are never sent back to the AI chat.

To encrypt sensitive data:

  1. From the menu, click AI agent configuration > Embed chat.
  2. Toggle Security to On.
  3. Enter a public key into the Public key field.
  4. Click Generate key to generate the IBM-provided public key.
  5. Copy the public key that is displayed in the IBM-provided public key field. Save this public key in a safe location, and do not enter that directly into the AI chat embed script. You can save it as an environment variable in your server's backend.
  6. In the JavaScript function that you use to generate your JWT, include in the payload a private claim called user_payload. Use this claim to contain the sensitive data, encrypted with the IBM public key.

The following code snippet demonstrates how to encrypt sensitive data by using the RSA public key algorithm. It takes a JSON string that represents the user payload of a JWT (JSON Web Token) and encrypts it using the IBM public key. The encrypted data is then converted to a Base64 string and assigned back to the user payload of the JWT.

const RSA = require('node-rsa');

// Example code snippet to encrypt sensitive data in JWT payload.
// If there is a user payload, encrypt it with the IBM public key
// and base64 format.
const dataString = JSON.stringify(jwtContent.user_payload);

// Convert UTF-8 to Byte Stream
const utf8Data = Buffer.from(dataString, 'utf-8');

// Encrypt the data
const rsaKey = new RSA(IBM_PUBLIC_KEY);
jwtContent.user_payload = rsaKey.encrypt(utf8Data, 'base64');
Tip: The user payload must be a valid JSON data. The AI chat uses the default options of the Node-RSA library, which expects the encryption scheme pkcs1_oaep, signing scheme pkcs1-sha256, and the encryption encoding base64.

When the AI chat integration receives a message signed with this JWT, the content of the user_payload claim is decrypted and saved as the context.integrations.chat.private.user_payload object. Since it is a private variable, it will not be included in logs. If you have skills that define the user_payload in the x-ibm-skill-headers property, your skill is able to return the data saved in the user_payload.

Parent topic:

Embedding the AI chat in a page