Encryption at rest

What exactly is involved in making a node.js application “encrypted at rest”?

This usually refers to the backend data storage. In MongoDB, for example: https://docs.mongodb.com/manual/core/security-encryption-at-rest/

3 Likes

“Encryption at rest” simply refers to the fact that the data is encrypted when not being transmitted, as such - any underlying storage used by your application would need to be encrypted. With a Node app, that typically refers to the database, but may also refer to the hard disk the application runs on (if it contains access keys) and anywhere you store user data in files (e.g., user uploads) which may refer to a file system, database, or something else (e.g., AWS S3).

Each of these has their own mechanisms for encryption. With Mongo, you can encrypt it through the DB if you run it on atlas, or pay the fee for the enterprise edition. If you’re self hosting the community edition you’d need to encrypt the underlying file system (fairly simple through AWS and other cloud providers).

For encryption of files stored outside the file system (e.g., S3 or similar) it is a little more complicated depending on how they are accessed: Only by the server, or directly by the client. In the latter case, you need to somehow distribute a decryption key to the user that decrypts only the files they requested, or only the files they have access to.

3 Likes

ahh

I’m digging into mongoDB atlas at the moment. It seems to get 256-bit encryption at rest you need to take additional steps

https://docs.atlas.mongodb.com/security-aws-kms/#security-aws-kms

It wont’ work out of the box.

1 Like

So if I have a meteor app on heroku that uses mongoDB atlas… my data goes

Browser (unencrypted) => heroku server (unencrypted) => mongodb (encrypted)

and it’s not encrypted as it goes “over the wire” between heroku and monogoDB. It’s only HTTPS/SSL?

HTTPS is encryption

So if all the links are HTTPS you end up with:
Browser =(encrypted)> heroku server =(encrypted)> mongodb (encrypted)

1 Like

Yeah, the HTTPS is an encrypted tunnel, but the data packets themselves are in regular JSON.

As for storage at rest, Mongo Atlas provides database level encryption. But you can achieve the same thing with a regular Mongo database running on a disk drive that has FileVault (Mac) enabled or is running NSFT (Windows) or a similar encrypted file system on Linux flavors.

tl;dr - You can achieve encryption at rest without actually doing any programming. It’s generally doable at a systems engineering level.

1 Like

Is TLS/SSL always 256 bit or greater?

Technically no, but practically, yes.
iOS/Safari, Chrome and Firefox all will refuse to accept a HTTPS connection with less than a 2048bit RSA key