Verschlüsselung von ruhenden Daten

dhyasama · 5. Januar 2015 um 22:13

For a variety of reasons I’d like to encrypt all data at rest in our private financial forum. What are the options and issues?

At the database level, common approaches are column-specific, whole database, and whole disk. Are any of these possible with Discourse? If so, what are the pros and cons?

For attachments, I’m uploading to S3 and plan to turn on server-side S3 encryption which should be transparent to Discourse. Has anyone tried this yet?

sam · 5. Januar 2015 um 22:16

I would recommend

Disabling S3 and handling all data yourself
Enabling full disk encryption on your linux server

I would strongly recommend not trying to hack the app to support this edge case, its a solved problem.

codinghorror · 5. Januar 2015 um 23:20

Option #3 there, to enable Postgres encryption, is also a good possibility. But doesn’t cover uploads, images, or attachments of course… only things stored in the database, which is most stuff in Discourse.

sam · 5. Januar 2015 um 23:37

That is basically #2

Data Partition Encryption
On Linux, encryption can be layered on top of a file system mount using a “loopback device”. This allows an entire file system partition be encrypted on disk, and decrypted by the operating system. On FreeBSD, the equivalent facility is called GEOM Based Disk Encryption, or gbde.

This mechanism prevents unencrypted data from being read from the drives if the drives or the entire computer is stolen. This does not protect against attacks while the file system is mounted, because when mounted, the operating system provides an unencrypted view of the data. However, to mount the file system, you need some way for the encryption key to be passed to the operating system, and sometimes the key is stored somewhere on the host that mounts the disk.

The other option for encryption is not applicable

Encryption For Specific Columns requires application level changes

codinghorror · 5. Januar 2015 um 23:46

Oh wow Postgres doesn’t offer table level encryption?

sam · 6. Januar 2015 um 02:25

yeah you would need to do it column by column, but the general approach is just to do this at filesystem level. simpler.

dhyasama · 7. Januar 2015 um 16:21

Relevant article for AWS users:

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html

sam · 3. März 2019 um 21:13

Our current recommendation is:

If you are on AWS, rely on AWS features like DB encryption at rest and S3 server side encryption.
If you are self hosting on digital ocean, use OS level encryption, for example LUKS.

system · 2. April 2019 um 21:13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Thema		Antworten	Aufrufe
How to encrypt the email addresses for compliance with privacy and PII laws? Feature privacy	4	1805	12. Februar 2015
Support for automatic backup encryption (GPG?) Feature backups	7	1730	7. Februar 2019
Passworded/client-side encrypted backups to upload to S3? Support	0	217	16. Oktober 2023
End to End Encryption? Support	1	75	18. Februar 2025
Redundant Discourse Hosting on AWS Hosting	14	2813	13. Mai 2015

Verschlüsselung von ruhenden Daten

Verwandte Themen