At Rest Encryption#
It is recommended that you encrypt data at rest. The layers of encryption available are listed below. Use multiple layers for higher levels of protection.
- Hardware (Full Disk) Encryption
The system hardware itself or the operating system disk management may offer encryption of everything stored on physical media.
- Container or Volume Encryption
The operating system or the volume management system may offer encryption of everything stored within containers/volumes, allowing for a more granular key control than hardware level.
For example, if using Amazon Elastic Block Store (EBS), encrypt the EBS.
- Database Encryption
The database may offer encryption of everything it stores, allowing for a more granular key control than container or volume.
When using cloud-managed database services, refer to the key management guidelines provided by the offering.
- File/Folder or Field-level Encryption
The operating system or database may offer encryption at the individual folder, file, or even field-level. This provides a highly granular key control, as decryption can be required for every field based on unique keys.
- Application Encryption
Applications may be written so that encryption happens before data reaches the aforementioned layers, with keys managed entirely outside the service or system that is storing the data.
- Messaging System (Kafka) Encryption
ESS’ services communicate with each other by sending messages through Kafka. Many Kafka deployments already offer data encryption at rest. In addition to this protection, ESS can be configured to encrypt all messages sent to Kafka.
By default, Inrupt enables data encryption for all data that pass through the Kafka messaging system.
As part of updating the inputs for your deployment, define the data encryption keys for Kafka. Specifically, in the
kafka-credentials.envfile, downloaded as part of the installation:
INRUPT_KAFKA_SOLIDRESOURCE_CIPHER_PASSWORDto a strong password. This is used for encrypting and decrypting Solid resource notification events.
INRUPT_KAFKA_AUDITV1EVENTSENCRYPTED_CIPHER_PASSWORDto a strong password. This is used for encrypting and decrypting Audit events.
INRUPT_KAFKA_SOLIDACCESSCONTROLRESOURCE_CIPHER_PASSWORDto a strong password. This is used for encrypting and decrypting Access Control Resource (ACR) notification events.
You MUST set the data encryption key values to a strong password.
Transport Layer Security (TLS)#
ESS supports TLS 1.2 and 1.3. By configuring your services to use TLS for ingress, you can ensure your data in transit is encrypted. If possible, configure remote services to use TLS encryption.
In production, ESS should run with certificates from an official Certificate Authority (CA) for all external facing services; e.g., Storage services. Self-signed certificates can be used for internal services. For an example of how you can customize your deployment to use your production certificates, see Use Official Certificate Authority.