Adding Field Level Encryption to Hyperledger Private Data

Photo by John Salvino on Unsplash

The Private Data feature in Hyperledger is great for keeping data private between Organization A and Organization B in a channel with other Organizations that don’t need that private data, e.g. Organizations C-F.

Enterprise level companies will need far more granular control of the private data within their authorized organization. Specifically these companies will need to keep individual private data fields accessible for approved users while making them non-accessible for non approved users and admins with root privileges. Typically this type of access control is done with an HSM (Hardware Security Module).

Typical external, network-connected HSM

I have added an credit card field into the Hyperledger Fabric Marbles Private Data Sample to demonstrate how we can allow for field level encryption for the private data. Our use case will be allowing billing to see the customer’s credit card number, but no one else, not even root users within the authorized peer should not have access to the credit card number.

The first step is to add the credit card field to the private struct in the Golang chaincode file marbles_chaincode_private.go.

Next is to edit the initMarble func by changing the args len to not equal 6, so that we can pass in the encrypted credit card after the price. Then add in creditCard := strings.TrimSpace(args[5])

The final edit to the file is to add assign the creditCard value to the marblePrivateDetails pointer.

The following steps can be performed in the Hyperledger docker container. docker exec -it cli bash

Step 1 — Pass our test credit card string 4111111111111111 to openssl and specify the AES cipher with a 256 bit key in CBC mode and then enter a billing password when prompted. echo “4111111111111111” | openssl enc -aes-256-cbc -a

Step 2 — Copy the encrypted credit card.

Step 3 — Init the marble2's private data with the encrypted credit card.
peer chaincode invoke -o — tls — cafile /opt/gopath/src/ -C mychannel -n marblesp -c ‘{“Args”:[“initMarble”,”marble2",”blue”,”35",”tom”,”99",”U2FsdGVkX1/eXpf/PjWAtPSUADmRh4t7ApAKUYoVpH8nCDaOx/cLWiZRGEd8KRHt”]}’

Step 4 — Query marble2’s private data. peer chaincode query -C mychannel -n marblesp -c ‘{“Args”:[“readMarblePrivateDetails”,”marble2"]}’ 
The admins and even the root users on the node can only see the encrypted credit card string. This allows the admins and root users on the peer node to do their jobs, while keeping the credit card data secure and only visible by the users in the billing department in step 5.

Step 5 — Decrypt the encrypted credit card using the billing password. echo “U2FsdGVkX1/eXpf/PjWAtPSUADmRh4t7ApAKUYoVpH8nCDaOx/cLWiZRGEd8KRHt” | openssl enc -d -aes-256-cbc -a

Step 6 — Use the decrypted password for billing purposes. 

The previous steps are meant to show how an enterprise company could add field level encryption to their organization’s private data on Hyperledger or any other decentralized blockchain. Obviously this would not be used in production, rather a TDE (Transparent Data Encryption) solution based on this model would be used. I have been working on the DarkBlock TDE that will offer symmetric ciphers (AES, RC2, RC4, RC5, CAST, DES, Triple DES) as well as asymmetric ciphers (RSA (1024–4096), DSA (1024–3072), Diffie-Hellman, KCDSA).

How’d you like this article? If you liked it or learned something, please leave a clap! is an enterprise blockchain development company and we’re always taking on new clients. Reach out to me at or visit our website at!