How can I encrypt data in Redshift using KMS so that it is not visible to anyone who queries the table or anyone at all in the account at all?
We plan to decrypt the data manually later.
Can you explain the easiest way since I'm doing some POC.
Related
I have an SQLite3 database that I need to secure.
I'm confused between using sqlcipher to encrypt the whole database that I use in my Electron app or simply encrypt the data using crypto dependency.
Any clarification or explanation would be welcome.
There are two different types of encryption: "encryption at rest" and "row level encryption".
What if someone gets access to your SQLite file? They have all your data. "Encryption at rest" protects you against this by encrypting the SQLite file itself. If someone steals your SQLite file it will be useless to them. sqlcipher provides encryption at rest. This is a good idea in general.
What if someone hacks into your application and injects SQL commands? What if they select all your customer data? It doesn't matter if the file is encrypted, the SQL connection will decrypt it. To protect against this you can add a layer of "row level encryption". This is where your application encrypts the data it writes and decrypts the data it reads. The data being stored is encrypted. This is more complicated and has more performance impacts. Since the data is inserted encrypted, it is more difficult to search and index. Use it only for very valuable data that you're not likely to have to search. You're better off securing your application against SQL injection in general.
We are using PouchDB the save our data locally. We want to make sure that data is saved securely.
If we are encrypting the data itself via a plugin it is not possible to query our DB because all the data is not readable anymore...
Is there a way to make sure data is saved securely without encrypting the data itself? Is it possible to encrypt the database as a whole?
Right now the only way to encrypt a Cassandra database at rest seems to be with their enterprise edition which costs thousands of dollars: How to use Cassandra with TDE (Transparent Data Encryption)
Another solution is to encrypt every value before it enters the database, but then the key will be stored somewhere on every server in plaintext and would be easy to find.
I understand they offer "free" use for certain companies, but this is not an option and I am not authorized to pay $2000/server. How do traditional companies encrypt their distributed databases?
Thanks for the advice
I took the approach of encrypting the data disk on AWS. I added a new volume to the instance and checked the option to encrypt the volume. Then I edited cassandra.yaml to point to the encrypted volume.
We have done similar requirement in one of our project. Basically, I made use of trigger feature in Cassandra with custom implementation to perform encryption. It seems to be working fine for us.
You can refer below docs on how to create trigger and sample implemention of ITrigger interface
https://docs.datastax.com/en/cql/3.3/cql/cql_reference/cqlCreateTrigger.html
https://github.com/apache/cassandra/blob/2e5847d29bbdd45fd4fc73f071779d91326ceeba/examples/triggers/src/org/apache/cassandra/triggers/AuditTrigger.java
Encrypting before inserting is a good way. The keys will either be on each application or on each cassandra node. There isnt much difference really, either way you should use filesystem permissions to restrict access to key just the apps user. Theres steps to get more secure from there like requiring entering of passphrase on startup vs storing on disk, but it makes operational tasks horrific.
I have some R scripts which rely on ODBC to retrieve data from a server database. Although this is shared within my team only, we wish to hash the database access password nevertheless. Greatly appreciated if fellow users could share best approaches for doing so. Thanks.
What you probably want is PKI: store the password as vector encrypted through PKI.encrypt, with a key shared between team members, and then prompt the user to decrypt it which requires the key only your team has - when the script first runs. R is sort of slim on encryption/decryption packages; you basically have PKI and digest which is asymetric, and that's it.
i want to encrypt the data. still i am following to do this on ASP.NET Pages. i came to know that we can apply encryption/decryption on data at Backend means on SQL SERVER. I want to know which is the better way. Will i change it to on SQL SERVER or will go with as it is?
I have studied This link to study which say only required columns should be encrypt/decrypt, not whole database. So please let me know which is better way from both of them.
The problem I would say is that the data and the key are stored on the SQL Server. That means if a user was able to get some type of administrative access, or with the right privileges you would potentially compromise all your encrypted data.
The other problem is what happens if the database is stolen, and then later on some vulnerability was found with the mechanism that SQL server was using? These things happen such as when the padding oracle bug was found with scriptresource.axd http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html .