Question about encryption at rest and encrypted database.
26 views
Skip to first unread message
Raymond Dazo
Sep 29, 2021, 2:11:55 PM9/29/21
to RavenDB - an awesome database
Hi RavenDB Team,
We're looking at securing our ravendb database to as much as we can. I do have some questions, please note that security is not one of my strengths, and my questions could be really simple to you but this would really help us understand things better.
We're looking at securing our ravendb database to as much as we can. I do have some questions, please note that security is not one of my strengths, and my questions could be really simple to you but this would really help us understand things better.
I read the encryption at rest article that RavenDB assures documents in .voron file are encrypted when idle. The way I understand it, if documents (part of the data) are not accessed for a while, they are encrypted. That's why when I open a .voron file in a text editor, I can see most data are encrypted and some are not. However, in the case where I have some database that have been idle or unused for a long time, they are not 100% encrypted. Some content are still in plain text but most are encrypted. What could be the reason behind this?
About the encrypting of database, does this mean regardless of the idle state, the database (.voron file content) will always be encrypted?
Thank you in advance
About the encrypting of database, does this mean regardless of the idle state, the database (.voron file content) will always be encrypted?
Thank you in advance
-Raymond
Oren Eini (Ayende Rahien)
Sep 29, 2021, 2:25:33 PM9/29/21
to ravendb
Not really how it works. When using encryption at rest, the data is ALWAYS encrypted, both on disk and in memory.
However, when there is an _active transaction_, it will transparently decrypt the data and purge it afterward. There is no "on idle encrypt data" part.
Note that you have to enable encryption, it is not turned on by default.
--
You received this message because you are subscribed to the Google Groups "RavenDB - an awesome database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/1669eba8-1e2f-4965-ad9d-af7e580697c3n%40googlegroups.com.
 | Oren Eini CEO / Hibernating Rhinos LTD
    |
Raymond Dazo
Sep 30, 2021, 6:42:33 AM9/30/21
to RavenDB - an awesome database
Hi Oren, thanks for your reply.
so encryption at rest and manually enabling encryption is the same thing. This line from the article got me thinking they are different:
“As long as the database is idle and there are no requests to serve, everything is kept encrypted in the data files.”
“at rest” simply means upon serialization to voron file. and not an idle state.
Now the last puzzle to me is, why does the voron file content appears to be encrypted? I mean they dont appear as a human readable plain text when I open it on a text editor.
-raymond
Raymond Dazo
Sep 30, 2021, 6:43:21 AM9/30/21
to RavenDB - an awesome database
Note that encryption is not enabled.
Egor Shamanaev
Sep 30, 2021, 8:45:55 AM9/30/21
to rav...@googlegroups.com
Hi
The data is not saved as plain text in the voron file, although you can still see some data as text if you open it in the text editor, that's why there is an encryption feature to fully encrypt the data.
The data is not saved as plain text in the voron file, although you can still see some data as text if you open it in the text editor, that's why there is an encryption feature to fully encrypt the data.
To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/e47ca8b7-dbcb-48b4-98b0-e96b66e43204n%40googlegroups.com.
| Egor Developer / Hibernating Rhinos LTD
|
Raymond Dazo
Sep 30, 2021, 9:41:35 AM9/30/21
to RavenDB - an awesome database
thank you. things are now clear for us.
Reply all
Reply to author
Forward
0 new messages