What's a good approach for encrypting event data in Redis?

Hello!

Disclaimer: I’m not a Python developer by trade, so there may some really obvious newbie mistakes/misunderstandings that follow. Also, I’m still getting up to speed with Sentry. For the purposes of this post, my mental model is that every event sent by an application to Sentry is placed on a queue stored in Redis. Furthermore, all writes/reads to/from Redis which contain the event payload are done via Celery/Kombu. There are other ways that Sentry can use Redis, but those use cases do not store event payloads.

Anyway, the source of my question: I’m starting to operationalize Sentry in a healthcare context, and need to ensure that sensitive information is not sent to Redis, or available in Redis, as plaintext. Based on my mental model, I had hoped that Celery or Kombu provided a way to plug in a custom codec for reading/writing messages. And it looks like the serializers feature of Celery/Kombu does just that.

After some fiddling and false starts, it seemed like adding the following snippet to sentry.conf.py would suit my purposes:

register('encrypted_messages',
         encrypted_message_serializer.dumps,
         encrypted_message_serializer.loads,
         content_type='application/x-python-serialize',
         content_encoding='utf-8')

where encrypted_message_serializer.{dumps,loads} wrap pickle.{dumps,loads} with Fernet.

However, this caused a ton of errors to show up in syslog. The specific error was caused by Fernet attempting to decrypt a string that was not encrypted to begin with. By adding a bunch of logging to my serializer, I was able to determine that, while the decoder was being invoked regularly, the encoder was never invoked – hence the error messages.

This makes me think there’s something wrong with my mental model, but I’m having a hard time figuring it out. Any pointers would be appreciated; my concrete questions are:

  1. Is there a single entry point at which I can specify how event data should be encoded and decoded before it’s written to/read from Redis?
  2. If so, what is it, and how can I customize it?
  3. If not, what are my options for ensuring that there’s never any event data in plaintext in Redis?