So ,
I know Firebase encrypt data at rest according to this question.
question is do they use a unique key per account , also where are those keys stored.
This is more a compliance concern.
Firebase relies on Google Cloud Platform's default encryption at rest.
Data is not encrypted with an account-specific key.
Related
I see in the docs that Firebase Realtime Database is encrypted.
But there are some terms I don't fully understand:
Firebase services encrypt data in transit using HTTPS and logically isolate customer data. What does logically isolate customer data. mean?
"In addition, several Firebase services also encrypt their data at rest: Firebase Realtime Database Firebase Test Lab" Can somebody explain this in layman's terms?
Firebase stores user's data on the same physical server, but the data is isolated by a computer program (computer logic). It's not physically isolated from one another.
When your data is not "in use" it's encrypted. So when you data is being worked on by a service it has to be not encrypted.
I'm looking for documentation that says the level of encryption is used at rest for firebase auth and firestore data:
Firebase Authentication
Firestore
This stackoverflow question points to a link that says it is encrypted, here: https://firebase.google.com/support/privacy#data_encryption
However, it does not specify the encryption level.
Is the data encrypted at AES 256? If not, what level of encryption is used?
Firestore is a part of Google Cloud products and all user content stored in Google Cloud is encrypted at rest without additional action required.
As shown in the diagram, data chunks in storage systems are protected by AES256 encryption with integrity.
The same applies on Firebase Auth as the service run on Google infrastructure though it is exclusive on US datacenters.
https://cloud.google.com/security/encryption-at-rest/default-encryption
I have actually one SPA in ReactJs + one mobile application in Flutter + one REST API developed with SailsJs running on a separate server. I managed user authentication with the secured session cookie generated by Firebase Authentication sent back by the API when we are login with valid information (id/password).
Now, I want to encrypt highly sensitive data (medicines, treatments, patients) in the Firestore database so no one can see the data in clear when an intrusion happens or with the basic admin access to the console for the production database.
Do I need to encrypt the data at the client-level considering the fact that the connection between the clients and the API server is over HTTPS? Or can I just encrypt the received body at the api-level before storing it in Firestore and decrypt the encrypted data at the GET endpoints?
My idea is to generate an encryption key with AES at the user registration and store it in another database from an European/French hosting company in order to avoid any risk with the US Cloud Act or whatever (user id from Firebase Authentication <-> encryption key). Is it a good idea? What other solution can I choose to securely store and use the encryption keys of my users?
Thanks for your help.
Do I need to encrypt the data at the client-level considering the fact that the connection between the clients and the API server is over HTTPS? Or can I just encrypt the received body at the api-level before storing it in Firestore and decrypt the encrypted data at the GET endpoints?
If you encrypt/decrypt the data in your custom API, that API will need to have access to the encryption keys. While the chances are small, it does mean the keys could be taken from here, and then be used to compromise the data.
If you encrypt/decrypt the data in the client-side code, only that code will need access to those keys. If you then exchange the keys through some out-of-band mechanism, something that doesn't get stored on your servers along the way, there is no way for anyone with access to those servers to decrypt the data.
Does anyone know if the local cache of the Firebase Cloud Firestore is encrypted at rest on the clients? I want to temporarily store sensitive details (think payment details) in the datastore until network connectivity becomes available and I can fire off some cloud functions and dispose of the data. I could go about encrypting the data before it is stored, but then that necessitates the need to rotate keys etc.
The google group responded, and the answer is no. The store is not encrypted on the device. This facilitated the need for encryption prior to storing the data.
https://groups.google.com/forum/m/#!topic/google-cloud-firestore-discuss/fa4RygAeFJg
Is there any recommended way to encrypt data in Firestore? Even though Firestore, by default, encrypts data before it writes to the disk, admins still can read data in the console. I am looking to make the data readable only by users who are allowed decrypt it. So it will be unreadable in the console.
One way I think it may be possible is to use cloud functions but I can't find how to modify the data before it gets saved to the disk (beforeWrite hook).
The only way to control all access to all data in Firestore (or Realtime Database for that matter) is to perform encryption on the raw data itself before it's even passed to the client APIs or SDKs that perform the write.
It's not possible to hook writes before they actually commit to storage with Cloud Functions. A function will only receive an event after the data is successfully written.
Also, bear in mind that if you encrypt data before it reaches the API, you will be unable to search and sort using that data, because it will no longer represent the original data in any way. All you would be able to do is access a document/location by its unique key (assuming that key is also not encrypted, or the encrypted id is (cryptographically) shared between both parties through another secure channel.
You'll need to encrypt data on the client devices before you write them into Firestore. When the other device reads up the data, decrypt it.
Key management is what you'll need to spend some time with to implement: Users on both devices need to have private keys locally and public keys accessible to the other users to encrypt messages with. Then you'll need to create a data encryption key to encrypt/decrypt messages in the chat room. This data encryption key, you'll encrypt with the participating users' public keys. And all keys, store in Firebase, encrypted.
Check out these 2 sample apps for a Firestore chat app example:
iOS: https://github.com/VirgilSecurity/demo-firebase-ios
Android: https://github.com/VirgilSecurity/demo-firebase-android
David