Back to Documentation

Encryption

End-to-end encryption for data at rest, in transit, and in use

Overview

entropyDB provides comprehensive encryption:

  • At-Rest Encryption: AES-256 for stored data
  • In-Transit Encryption: TLS 1.3 for network traffic
  • Column-Level Encryption: Encrypt specific columns
  • Key Management: Integrated with KMS/HSM
  • Transparent Encryption: No application changes required

At-Rest Encryption

# Enable transparent data encryption
# entropydb.conf
encryption_at_rest = on
encryption_algorithm = 'AES-256-GCM'
encryption_key_rotation_days = 90

# Initialize encryption during cluster setup
entropydb-admin init-cluster \
  --enable-encryption \
  --key-provider aws-kms \
  --kms-key-id arn:aws:kms:us-west-2:123456789:key/abc-123

# Or use local key file
entropydb-admin init-cluster \
  --enable-encryption \
  --key-provider file \
  --key-file /secure/path/master.key

# Enable encryption on existing cluster
ALTER SYSTEM SET encryption_at_rest = on;
SELECT entropy_encrypt_all_data();

# Check encryption status
SELECT 
  tablespace_name,
  encrypted,
  encryption_algorithm,
  key_id
FROM entropy_tablespace_encryption;

In-Transit Encryption (TLS)

# Generate SSL certificates
openssl req -new -x509 -days 365 -nodes -text \
  -out server.crt \
  -keyout server.key \
  -subj "/CN=entropydb.example.com"

# Enable TLS in configuration
# entropydb.conf
ssl = on
ssl_cert_file = '/etc/entropydb/server.crt'
ssl_key_file = '/etc/entropydb/server.key'
ssl_ca_file = '/etc/entropydb/ca.crt'
ssl_ciphers = 'HIGH:!aNULL:!MD5'
ssl_min_protocol_version = 'TLSv1.3'
ssl_prefer_server_ciphers = on

# Require SSL for all connections
ALTER SYSTEM SET ssl_mode = 'require';

# Require SSL for specific users
ALTER USER alice REQUIRE SSL;

# Connect with SSL
psql "host=entropydb.example.com \
      sslmode=verify-full \
      sslcert=client.crt \
      sslkey=client.key \
      sslrootcert=ca.crt"

# Verify SSL connection
SELECT * FROM entropy_ssl_info;

Column-Level Encryption

-- Create table with encrypted columns
CREATE TABLE users (
  user_id SERIAL PRIMARY KEY,
  username TEXT,
  email TEXT ENCRYPTED,
  ssn TEXT ENCRYPTED WITH (algorithm = 'AES-256-GCM'),
  credit_card TEXT ENCRYPTED WITH (
    algorithm = 'AES-256-GCM',
    key_name = 'pci-dss-key'
  )
);

-- Insert data (automatically encrypted)
INSERT INTO users (username, email, ssn) 
VALUES ('alice', 'alice@example.com', '123-45-6789');

-- Query encrypted data (automatically decrypted)
SELECT * FROM users WHERE user_id = 1;

-- Encrypt existing column
ALTER TABLE users 
  ALTER COLUMN phone_number 
  SET ENCRYPTED;

-- Use different encryption keys per column
CREATE ENCRYPTION KEY hr_key;
CREATE ENCRYPTION KEY finance_key;

ALTER TABLE employees
  ALTER COLUMN salary
  SET ENCRYPTED WITH KEY finance_key;

ALTER TABLE employees
  ALTER COLUMN performance_review
  SET ENCRYPTED WITH KEY hr_key;

Key Management

# AWS KMS Integration
# entropydb.conf
encryption_key_provider = 'aws-kms'
aws_kms_key_id = 'arn:aws:kms:us-west-2:123456789:key/abc-123'
aws_region = 'us-west-2'

# Azure Key Vault
encryption_key_provider = 'azure-keyvault'
azure_keyvault_url = 'https://myvault.vault.azure.net/'
azure_keyvault_key_name = 'entropydb-master-key'

# Google Cloud KMS
encryption_key_provider = 'gcp-kms'
gcp_kms_key_name = 'projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY'

# HashiCorp Vault
encryption_key_provider = 'vault'
vault_addr = 'https://vault.example.com:8200'
vault_token = 'your-vault-token'
vault_key_path = 'secret/entropydb/master-key'

# Key rotation
SELECT entropy_rotate_encryption_keys();

# Schedule automatic rotation
CREATE CRON JOB rotate_keys
  SCHEDULE '0 0 1 */3 *'  -- Every 3 months
  EXECUTE 'SELECT entropy_rotate_encryption_keys()';

# View key rotation history
SELECT * FROM entropy_key_rotation_history
ORDER BY rotated_at DESC;

Application-Level Encryption

// Client-side encryption before insert
import { createCipheriv, createDecipheriv, randomBytes } from 'crypto';

const algorithm = 'aes-256-gcm';
const key = Buffer.from(process.env.ENCRYPTION_KEY, 'hex');

function encrypt(text: string): { encrypted: string; iv: string; tag: string } {
  const iv = randomBytes(16);
  const cipher = createCipheriv(algorithm, key, iv);
  
  let encrypted = cipher.update(text, 'utf8', 'hex');
  encrypted += cipher.final('hex');
  
  const tag = cipher.getAuthTag();
  
  return {
    encrypted,
    iv: iv.toString('hex'),
    tag: tag.toString('hex')
  };
}

function decrypt(encrypted: string, iv: string, tag: string): string {
  const decipher = createDecipheriv(
    algorithm,
    key,
    Buffer.from(iv, 'hex')
  );
  
  decipher.setAuthTag(Buffer.from(tag, 'hex'));
  
  let decrypted = decipher.update(encrypted, 'hex', 'utf8');
  decrypted += decipher.final('utf8');
  
  return decrypted;
}

// Store encrypted data
const sensitiveData = 'credit card 4111-1111-1111-1111';
const { encrypted, iv, tag } = encrypt(sensitiveData);

await client.query(
  'INSERT INTO payments (encrypted_data, iv, auth_tag) VALUES ($1, $2, $3)',
  [encrypted, iv, tag]
);

// Retrieve and decrypt
const result = await client.query(
  'SELECT encrypted_data, iv, auth_tag FROM payments WHERE id = $1',
  [paymentId]
);

const decrypted = decrypt(
  result.rows[0].encrypted_data,
  result.rows[0].iv,
  result.rows[0].auth_tag
);

Best Practices

Key Management

  • • Use external KMS/HSM for master keys
  • • Rotate keys regularly (90 days)
  • • Never store keys in application code
  • • Implement key access controls

Implementation

  • • Enable TLS for all connections
  • • Use strong cipher suites
  • • Encrypt backups
  • • Regular security audits

Next Steps

Authentication

Secure authentication

RBAC

Access control

Compliance

Compliance requirements