I am working on neo4j graph database recently and i want to encrypt my data.I know that Neo4j does not have any built-in encryption.i have some nodes and relations between that nodes.so how can i encrypt my data?
The security checklist has some suggestions for how to keep your data secure, and mentions encryption.
Also, the operating system on which you are running the neo4j server may support the encryption of your Db's data folder.
Related
I have an SQLite3 database that I need to secure.
I'm confused between using sqlcipher to encrypt the whole database that I use in my Electron app or simply encrypt the data using crypto dependency.
Any clarification or explanation would be welcome.
There are two different types of encryption: "encryption at rest" and "row level encryption".
What if someone gets access to your SQLite file? They have all your data. "Encryption at rest" protects you against this by encrypting the SQLite file itself. If someone steals your SQLite file it will be useless to them. sqlcipher provides encryption at rest. This is a good idea in general.
What if someone hacks into your application and injects SQL commands? What if they select all your customer data? It doesn't matter if the file is encrypted, the SQL connection will decrypt it. To protect against this you can add a layer of "row level encryption". This is where your application encrypts the data it writes and decrypts the data it reads. The data being stored is encrypted. This is more complicated and has more performance impacts. Since the data is inserted encrypted, it is more difficult to search and index. Use it only for very valuable data that you're not likely to have to search. You're better off securing your application against SQL injection in general.
Right now the only way to encrypt a Cassandra database at rest seems to be with their enterprise edition which costs thousands of dollars: How to use Cassandra with TDE (Transparent Data Encryption)
Another solution is to encrypt every value before it enters the database, but then the key will be stored somewhere on every server in plaintext and would be easy to find.
I understand they offer "free" use for certain companies, but this is not an option and I am not authorized to pay $2000/server. How do traditional companies encrypt their distributed databases?
Thanks for the advice
I took the approach of encrypting the data disk on AWS. I added a new volume to the instance and checked the option to encrypt the volume. Then I edited cassandra.yaml to point to the encrypted volume.
We have done similar requirement in one of our project. Basically, I made use of trigger feature in Cassandra with custom implementation to perform encryption. It seems to be working fine for us.
You can refer below docs on how to create trigger and sample implemention of ITrigger interface
https://docs.datastax.com/en/cql/3.3/cql/cql_reference/cqlCreateTrigger.html
https://github.com/apache/cassandra/blob/2e5847d29bbdd45fd4fc73f071779d91326ceeba/examples/triggers/src/org/apache/cassandra/triggers/AuditTrigger.java
Encrypting before inserting is a good way. The keys will either be on each application or on each cassandra node. There isnt much difference really, either way you should use filesystem permissions to restrict access to key just the apps user. Theres steps to get more secure from there like requiring entering of passphrase on startup vs storing on disk, but it makes operational tasks horrific.
I have a Windows server running Chef Client in local mode. I would like to use encrypted data bags for users and passwords, but this becomes an issue since the secret key will need to be stored locally. What are my best options for enabling encrypted data bags and also having a secure secret key?
This isn't what encrypted data bags do. The purpose of that feature is to prevent disclosing the contents to the Chef Server. From the PoV of the client, it is in the clear because it has to have the decryption key. If you have only a single node, there isn't much value in the encryption for Chef. It might still be useful if you are storing that data in a git repo or similar, but in those cases you are probably better off with another solution. Check out https://coderanger.net/chef-secrets/ for a summary of the options.
I am trying to build an open-source decentralized social network, created and supported by the community (Facebook like).
Using Datastax Enterprise/Cassandra it is possible to setup a working DHT (Distributed hash table) to store the large amount of data within a cluster owned by a single 'business' or 'company'.
This way all the data (like: users/profile data, posts, like, etc.) are stored under control of this company within their own cluster, so that the data are more or less "safe".
However in my case, other people (from the community) should be able to set-up their own node within the cluster to support the cluster and load balancing. This could be anyone (good or evil)...
Meaning that the data between the nodes should not only be encrypted (via SSL/TLS), but also the data ITSELF what is stored on the nodes, should be encrypted as well!
So, my question before continuing using the Datastax software is:
Is it possible to store all the data encrypted somehow on every
node, so that the cluster can be run by a given individual/random person?
Thank you!
Kind regards,
Melroy van den Berg
I think it's safe to say that current database technology is based on the concept of controlled access to database servers themselves and that "random persons" (or computer programs!) can only access the database remotely by a well-controlled API.
That said, you could always create your own application layer which mediates between said random users and DSE itself, providing limited administrative access to DSE based on use cases programmed into the application layer itself.
DSE does support transparent data encryption (TDE), but once again that is oriented towards very controlled access to the database servers. You could use it, but the suggested application layer may obviate the need for encryption on the database server(s).
We are going to store some sensitive information about our customers in the db model res_partners.
However we don't want to store this information in a simple text field. We would prefer
some basic encrypting if possible for those fields. We do not want someone who
has access to the db to have access to these fields.
Is there a way we can get this done in openerp or postgres ?
Thank you,
Vishal Khialani
There is no such thing as "basic" encryption. Rot13 is not getting to get you anywhere here. If your data is sensitive enough to deserve protection, then you need to use state of the art cyphers such as Blowfish. I advise you give a good long look at Bruce Schneier's book Applied Cryptography
The easy (and insecure) way to achieve this is to overload the write and read methods of your model to encrypt before writing and decrypt after reading.
The tricky part is storing the encryption key. You could store it in a file on the computer running the OpenERP server (assuming the database is running on another server). This is still pretty weak, as the key will be available in clear on the server, but could still be useful if you don't trust your database server admin, but do trust you openerp server admin. It's still way easier to get the database server in a secure and trusted place, and if required to crypt offline copies of the database (such as backups).
If you want more security, you'll have to send the data encrypted to the client application, and let the decryption happen there, using a user-supplied key. I'm not enough knowledgeable of this part of openerp to say if it is easily feasible or not.