Data encryption/decryption at rest

David Christensen dpchrist@REDACTED
Sat Jan 22 19:40:31 CET 2022

On 1/22/22 2:03 AM, Frank Muller wrote:
> Hi guys,
> We have some ETS tables persisted to disk periodically.
> These data are almost static (rarely change) and contains clients
> information such as: name, gender, date/place of birth, security token, etc.
> Due to new policy in place, these data has to be encrypted at rest.
> But I still need to access it in a decrypted way inside my Erlang app.
> What approach should I take?
> Is there any Erlang library to help with this task?
> Disclaimer: I’m by far not a security expert
> Thanks
> /Frank

On 1/22/22 4:59 AM, Frank Muller wrote:
 > I’ve heard about Luks / Ceph.
 > Any practical experience with them or any other alternative? I’m looking
 > for a simple solution.
 > Will data decrypting affect performance?

On 1/22/22 7:31 AM, Frank Muller wrote:
 > I’m wondering if we can achieve something like this in pure Erlang:

Who owns the data?  Who owns the disks?  Who owns the servers?  Who owns 
the network?  Who has physical access?  Who has remote console access?

Do government regulations apply?  Contractual obligations?  Company 
policies?  Personal preferences?

At the higher end, I would suggest self-encrypting drives.

In the middle, I would suggest operating system features -- encrypting 
device drivers, encrypting filesystems, encrypted communications, etc.. 
  Hardware acceleration is desirable -- AES-NI, PCIe cards, etc..

At the lower end, I would suggest validated cryptographic libraries.

Combining multiple solutions must be very carefully considered -- 
"security in depth" vs. "increased threat surface".


More information about the erlang-questions mailing list