Data at Rest Encryption

🌐 This document is available in both English and Ukrainian. Use the language toggle in the top right corner to switch between versions.

1. General overview

Data at Rest Encryption (DARE) is a method for safeguarding the confidentiality and integrity of data while it is stored on media such as disks, file systems, or databases. It differs from transport encryption, which is employed to protect data during its transmission over a network. This approach ensures data confidentiality in cases of physical access to the storage media, such as loss, theft, or unauthorized access to the physical device.

2. Application of Data at Rest Encryption

Data encryption is applied to two key components of the platform. Disk encryption is applied to components of the container orchestration system, as well as the system’s own storage. Both operations are performed by the Platform registry installer during deployment.

Further details can be found at Component for managing the state of Platform resources

2.1. Storage encryption

All data residing in block-type storage is encrypted at rest. Consequently, all data storage backups are automatically encrypted and protected from unauthorized access.

Storage devices are encrypted using a data key, utilizing the industry-standard AES-256-XTS data encryption algorithm recommended by NIST SP 800-38E.

2.2. Container orchestration system storage encryption

The storage of keys and values in the container orchestration system contains sensitive secrets and confidential information and, therefore, must be encrypted. For optimal system performance, only the following resources are encrypted:

  • Secrets

  • Configuration

  • Routes

  • OAuth mechanism access tokens

Encryption is accomplished using the AES-CBC algorithm with PKCS#7 padding and a 32-byte key.

3. Impact on performance and availability

Encryption has a minimal impact on the quality attributes of the Platform. Read and write operations occur nearly as quickly as without encryption, with minimal latency.

4. Key management and security

Key management is a critical aspect of utilizing data at-rest encryption. Effective key management ensures the security of encrypted data and prevents unauthorized access.

Reliable algorithms and methods are used for key generation. Encryption keys are stored in secure locations with limited access.

Encryption keys have defined lifecycle stages, including creation, usage, maintenance, and deletion.

Rotation of disk encryption keys occurs automatically once a year, and rotation of container orchestration system storage encryption keys occurs weekly.