When running as a database proxy, JumpWire sits between the application and database and proxies the wire connection. JumpWire will inspect SQL queries that insert or retrieve data, transform column data if necessary, then return the results. Since JumpWire works with the existing database protocol, only the database connection parameters need to be updated for an application to connect through JumpWire.
For applications that don’t operate on sensitive data, they can continue to connect to the database directly.
In this example, an application is configured to connect to PostgreSQL through JumpWire. The "Last Name" and "Username" fields are both labeled as PII.
A policy is configured to automatically encrypt any fields that are labeled as PII. Only connections classified as Confidential are allowed to retrieve the decrypted values.
When our application connects without any classification, it gets back valid data for most fields but encrypted versions of the PII fields:
Updating the connection in the Databases settings to have a Confidential classification allows the decrypted data to be retrieved. After updating the classification, new queries will immediately return decrypted data without any application updates.
The same behavior can be seen when connecting directly to the database instead of connecting to JumpWire with an allowed classification. Attempting to bypass JumpWire will only allow the client to retrieve the data from PostgreSQL in its encrypted format.