Database backup encryption: document and look into any possible improvement

[eddierubeiz]

Notes from @jrochkind , slightly edited:

"Look into the ways in which our backups are encrypted…. they aren’t currently I think except for the fact that they use default AWS S3 “at rest” encryption same as on every S3 bucket probably, which only guards against certain attacks (like someone who somehow had access to the AWS S3 physical media without going through usual AWS interfaces)

"We could use AWS client side encryption features to protect our DB backups specifically, and might want to, if we think they include sensitive patron data. https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingClientSideEncryption.html ?"

Look into the workflow that puts the backups into s3.

• Is the connection encrypted? (yes it is, but document that)
• Could we encrypt the database file on the Heroku side before sending it over, and store it encrypted in s3? What would that look like and how can we do it without unduly complicating the restore-from-backup workflows?
• Other ideas?

[jrochkind]

I would add that the only reason I am aware of that this matters is to the extnet that we may be storing confidential "patron" info in our DB.

MOST of our DB stuff is not especially sensitive or private. There may be other stuff that is I guess though -- non-public Oral History data? But this particular ticket does not apply to OH PDF and file assets, only to metadata. If we wanted to apply additional encryption to OH PDF etc assets, thats' a different ticket --currently we think putting on a private S3 bucket is sufficient.

[jrochkind]

and of course a risk of this kind of encryption is that if we could lose the encryption key or make some other mistake that makes our backups lost to us!