Data encryption/decryption at rest
Sat Jan 22 19:40:31 CET 2022
On 1/22/22 2:03 AM, Frank Muller wrote:
> Hi guys,
> We have some ETS tables persisted to disk periodically.
> These data are almost static (rarely change) and contains clients
> information such as: name, gender, date/place of birth, security token, etc.
> Due to new policy in place, these data has to be encrypted at rest.
> But I still need to access it in a decrypted way inside my Erlang app.
> What approach should I take?
> Is there any Erlang library to help with this task?
> Disclaimer: I’m by far not a security expert
On 1/22/22 4:59 AM, Frank Muller wrote:
> I’ve heard about Luks / Ceph.
> Any practical experience with them or any other alternative? I’m looking
> for a simple solution.
> Will data decrypting affect performance?
On 1/22/22 7:31 AM, Frank Muller wrote:
> I’m wondering if we can achieve something like this in pure Erlang:
Who owns the data? Who owns the disks? Who owns the servers? Who owns
the network? Who has physical access? Who has remote console access?
Do government regulations apply? Contractual obligations? Company
policies? Personal preferences?
At the higher end, I would suggest self-encrypting drives.
In the middle, I would suggest operating system features -- encrypting
device drivers, encrypting filesystems, encrypted communications, etc..
Hardware acceleration is desirable -- AES-NI, PCIe cards, etc..
At the lower end, I would suggest validated cryptographic libraries.
Combining multiple solutions must be very carefully considered --
"security in depth" vs. "increased threat surface".
More information about the erlang-questions