Encryption of iRODS data at rest
57 views
Skip to first unread message
aite...@gmail.com
Jan 4, 2021, 7:29:54 PM1/4/21
to iRODS-Chat
Dear community,
I am currently looking at ways of encrypting iRODS data at rest, so I thought I should ask how some of you are handling key management and encryption/decryption operations when files are written/read.
Do you do the encryption using the policy enforcement points (PEP) or how are you doing it?
Thanks for your anticipated response!
Best,
Aiten
aite...@gmail.com
Jan 7, 2021, 4:47:31 PM1/7/21
to iRODS-Chat
Hello guys,
I will appreciate it if someone can share their experience with me,
Thanks in advance
Aiten
John Constable
Jan 7, 2021, 5:19:35 PM1/7/21
to iRODS-Chat
Hey Aiten,
I suspect our collective silence is down to not many of us trying this!
We looked into this a little bit a while back, and the only option that didnt come with IO penalties that would have been too steep (LUKS encypted filesystem, IIRC) was to use encypted-at-rest drives (this was HP at the time), but after investigation it was decided that the additonal cost wasn't worth the additonal protection; as we mostly store genomic data on RAID array filesystems, so you would need multiple drives from the RAID to reconstruct a portion of the file which was itself compressed (CRAM for e.g.) and so the possibility of recovering usefull data from a recyled drive wasn't considered high enough to warranty the additional expense (and vendor lock in!).
I'm pretty sure the community would be interested in any experimentation you might have done though?
John
Vilém Děd
Apr 14, 2022, 1:50:02 AM4/14/22
to iRODS-Chat
There is a microservice for this: https://github.com/irods/contrib/tree/main/microservices/administration/msiencrypt_replica
Just in case you are still interested ;)
(I've found it via https://github.com/irods/irods/issues/3300)
Just in case you are still interested ;)
(I've found it via https://github.com/irods/irods/issues/3300)
John Constable
Apr 14, 2022, 2:40:57 AM4/14/22
to iRODS-Chat
That's interesting, thank you! Have you tried it (and on which version!)? It decrypts at rest on the server, which isn't ideal, but still...
Vilém Děd
Apr 14, 2022, 4:53:10 AM4/14/22
to iRODS-Chat
Sorry, we haven't used it.
The PEP for GET operation can be changed and with a bit of additional code, you could allow decryption in a "safe" resource only.
Just to have it complete - protection of the KV pair with password should be implemented. E.g. with https://github.com/irods/irods_rule_engine_plugin_metadata_guard
The PEP for GET operation can be changed and with a bit of additional code, you could allow decryption in a "safe" resource only.
Just to have it complete - protection of the KV pair with password should be implemented. E.g. with https://github.com/irods/irods_rule_engine_plugin_metadata_guard
Reply all
Reply to author
Forward
0 new messages