Data encryption/decryption at rest

Frank Muller

unread,

Jan 22, 2022, 5:04:16 AM1/22/22

to Erlang-Questions Questions

Hi guys,

We have some ETS tables persisted to disk periodically.

These data are almost static (rarely change) and contains clients information such as: name, gender, date/place of birth, security token, etc.

Due to new policy in place, these data has to be encrypted at rest.
But I still need to access it in a decrypted way inside my Erlang app.

What approach should I take?
Is there any Erlang library to help with this task?

Disclaimer: I’m by far not a security expert

Thanks
/Frank

Andrew Varner

unread,

Jan 22, 2022, 7:22:41 AM1/22/22

to Frank Muller, Erlang-Questions Questions

Can you just use full disk encryption at the operating system level?

On Jan 22, 2022, at 5:04 AM, Frank Muller <frank.mu...@gmail.com> wrote:

Hi guys,

Frank Muller

unread,

Jan 22, 2022, 8:00:11 AM1/22/22

to Andrew Varner, Erlang-Questions Questions

I’ve heard about Luks / Ceph.

Any practical experience with them or any other alternative? I’m looking for a simple solution.

Will data decrypting affect performance?

/Frank

Frank Muller

unread,

Jan 22, 2022, 10:32:09 AM1/22/22

to Andrew Varner, Erlang-Questions Questions

I’m wondering if we can achieve something like this in pure Erlang:

https://stackoverflow.com/a/37953361

Andrew Varner

unread,

Jan 22, 2022, 11:19:24 AM1/22/22

to Frank Muller, Erlang-Questions Questions

My customers always require encryption for data-at-rest (DAR). The nodes we deploy to always have it enabled. Beyond your serialized ETS tables, it protects local log files, which may also contain personally identifiable information. As for performance impacts, I’ve heard they’re negligible. Measuring your specific application would tell you how much.

On Jan 22, 2022, at 8:00 AM, Frank Muller <frank.mu...@gmail.com> wrote:

David Christensen

unread,

Jan 22, 2022, 1:40:54 PM1/22/22

to erlang-q...@erlang.org

On 1/22/22 4:59 AM, Frank Muller wrote:
> I’ve heard about Luks / Ceph.
>
> Any practical experience with them or any other alternative? I’m looking
> for a simple solution.
>
> Will data decrypting affect performance?

On 1/22/22 7:31 AM, Frank Muller wrote:
> I’m wondering if we can achieve something like this in pure Erlang:
> https://stackoverflow.com/a/37953361

Who owns the data? Who owns the disks? Who owns the servers? Who owns
the network? Who has physical access? Who has remote console access?

Do government regulations apply? Contractual obligations? Company
policies? Personal preferences?

At the higher end, I would suggest self-encrypting drives.

In the middle, I would suggest operating system features -- encrypting
device drivers, encrypting filesystems, encrypted communications, etc..
Hardware acceleration is desirable -- AES-NI, PCIe cards, etc..

At the lower end, I would suggest validated cryptographic libraries.

Combining multiple solutions must be very carefully considered --
"security in depth" vs. "increased threat surface".

David

Massimo Cesaro

unread,

Jan 24, 2022, 8:40:22 AM1/24/22

to Frank Muller, Erlang-Questions Questions

Hi Frank,

if you can replace ETS with Mnesia (and in theory you should), then it is pretty simple to write a mnesia activity access callback (see https://www.erlang.org/doc/apps/mnesia/mnesia_app_b) to encrypt your data at rest and having them decrypted on the fly when you need them inside your application.

I did it some time ago, and the only tricky part is how to handle the encryption key(s) for the mnesia table encryption in a secure manner.