chenqi0805
commented
3 years ago Alternative solutions:
- manually encrypt/decrypt the key-value pairs before storing in LMDB/MapDB files.
For manual encryption and decryption, Java has its own JCE framework. The available ciphers are listed as follows:
https://docs.oracle.com/javase/8/docs/api/javax/crypto/Cipher.html https://docs.oracle.com/javase/9/security/java-cryptography-architecture-jca-reference-guide.htm#JSSEC-GUID-2BCFDD85-D533-4E6C-8CE9-29990DEB0190
Issue with manual encryption/decryption:
- Maintain and retrieve encrypted keys
- Maintain secretKeys
- Performance/Efficiency
- encryption/decryption at serializer/deserializer level: In MapDB, DBMaker allows specifying keySerializer and valueSerializer. One might implement GroupSerializer interface to encode/decode keys/values
kowshikn
As protection to data access in data-prepper, we will support encryption at rest. Encryption requirements TBD.
As a first step, encryption at rest will be applied to db files in service-map.
Note: AWS KMS manages encryption by AES-256: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html which is a symmetric cryptographic algorithm(https://en.wikipedia.org/wiki/Advanced_Encryption_Standard). Other cryptographic algorithm is PGP, which uses asymmetric encryption(public-private keys). Although providing more security, it is computationally more expensive.