I am unable to find anything that explicitly states that GCP's Memorystore offering (redis) is encrypted at rest.
This document states that "Data at rest is encrypted by default in all Google Cloud Platform products. Read about the granularity of encryption by product.(link)"
https://cloud.google.com/security/encryption-at-rest/
When I click that link and it lists the granularity, however, it lists the specifics for many services, but does not list Memorystore.
https://cloud.google.com/security/encryption-at-rest/default-encryption/#granularity_of_encryption_in_each_google_cloud_platform_product
Is the data in a GCP Memorystore instance encrypted at rest?
Cloud Memorystore for Redis does not currently support persistence. Therefore there is nothing to encrypt at rest.
Related
I see in the docs that Firebase Realtime Database is encrypted.
But there are some terms I don't fully understand:
Firebase services encrypt data in transit using HTTPS and logically isolate customer data. What does logically isolate customer data. mean?
"In addition, several Firebase services also encrypt their data at rest: Firebase Realtime Database Firebase Test Lab" Can somebody explain this in layman's terms?
Firebase stores user's data on the same physical server, but the data is isolated by a computer program (computer logic). It's not physically isolated from one another.
When your data is not "in use" it's encrypted. So when you data is being worked on by a service it has to be not encrypted.
I'm looking for documentation that says the level of encryption is used at rest for firebase auth and firestore data:
Firebase Authentication
Firestore
This stackoverflow question points to a link that says it is encrypted, here: https://firebase.google.com/support/privacy#data_encryption
However, it does not specify the encryption level.
Is the data encrypted at AES 256? If not, what level of encryption is used?
Firestore is a part of Google Cloud products and all user content stored in Google Cloud is encrypted at rest without additional action required.
As shown in the diagram, data chunks in storage systems are protected by AES256 encryption with integrity.
The same applies on Firebase Auth as the service run on Google infrastructure though it is exclusive on US datacenters.
https://cloud.google.com/security/encryption-at-rest/default-encryption
I want to have a per client namespace and storage in my kubernetes environment where a dedicated instance of app runs per client and only client should be able to encrypt/decrypt the storage being used by that particular client's app.
I have seen hundreds of examples on secrets encryption in kubernetes environment but struggling to achieve actual storage encryption that is controlled by the client. is it possible to have a storage encryption in K8s environment where only client has the knowledge of encryption keys (and not the k8s admin) ?
The only thing that comes to my mind as suggested already in the comment is hashicorp vault.
Vault is a tool for securely accessing secrets. A secret is anything
that you want to tightly control access to, such as API keys,
passwords, or certificates. Vault provides a unified interface to any
secret, while providing tight access control and recording a detailed
audit log.
Some of the features that you might to check out:
API driven interface
You can access all of its features programatically due to HTTP API.
In addition, there are several officially supported libraries for programming languages (Go and Ruby). These libraries make the interaction with the Vault’s API even more convenient. There is also a command-line interface available.
Data Encryption
Vault is capable of encrypting/decrypting data without storing it. The main implication from this is if an intrusion occurs, the hacker will not have access to real secrets even if the attack is successful.
Dynamic Secrets
Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up. This means that the secret does not exist until it is read.
Leasing and Renewal: All secrets in Vault have a lease associated with them. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.
Convenient Authentication
Vault supports authentication using tokens, which is convenient and secure.
Vault can also be customized and connected to various plugins to extend its functionality. This all can be controlled from web graphical interface.
I want to create a Udemy like video platform where a user can see all videos but can watch videos only that he has purchased.
I am making a rest call to get the videos from the storage bucket from an angular application, using Firebase authentication here. In my GET request to storage bucket I am passing the access token that I got from Firebase authn.
Does this access token can be used to determine scope of the user to access video in a bucket?
Assume if I have given read access for a video in a bucket for a specific user, using the access token can I get the video? But every time I tried it shows unauthorized. Is there any other way to verify users access to storage bucket object.
Google recommend to not use ACL because it's hard to manage and to have a global view on the authorization.
In most cases, Cloud Identity and Access Management (Cloud IAM) is the recommended method for controlling access to your resources.
Caution: Permissions can be granted either by ACLs or Cloud IAM policies. In general, permissions granted by Cloud IAM policies do not appear in ACLs, and permissions granted by ACLs do not appear in Cloud IAM policies. The only exception is for ACLs applied directly on a bucket and certain bucket-level Cloud IAM policies, as described in Cloud IAM relation to ACLs.
IMO, the best pattern is to have a database on your side with the file on GCS allowed per user. You can store these in Firestore: affordable, pay as you use, generous free tier. For downloading the video, you can generate a temporarily access to the user by generating a signedUrl.
As per mention Guillaume Cloud Storage use the ACL pattern in order to have a control to the access of the resources stored in their buckets.
Nevertheless, when you need to storage wide objects per user in this case a video, you can store these in Firestore: affordable, pay as you use, generous free tier. This is a very suitable option since Firestore can use as another resource
Is recommended for this scenario generate a signed URL
Does anyone know if the local cache of the Firebase Cloud Firestore is encrypted at rest on the clients? I want to temporarily store sensitive details (think payment details) in the datastore until network connectivity becomes available and I can fire off some cloud functions and dispose of the data. I could go about encrypting the data before it is stored, but then that necessitates the need to rotate keys etc.
The google group responded, and the answer is no. The store is not encrypted on the device. This facilitated the need for encryption prior to storing the data.
https://groups.google.com/forum/m/#!topic/google-cloud-firestore-discuss/fa4RygAeFJg