Encryption

At Rest Encryption

It is recommended that you encrypt data at rest. The layers of encryption available are listed below. Use multiple layers for higher levels of protection.

Hardware (Full Disk) Encryption

The system hardware itself or the operating system disk management may offer encryption of everything stored on physical media.

Container or Volume Encryption

The operating system or the volume management system may offer encryption of everything stored within containers/volumes, allowing for a more granular key control than hardware level.

For example, if using Amazon Elastic Block Store (EBS), encrypt the EBS.

Database Encryption

The database may offer encryption of everything it stores, allowing for a more granular key control than container or volume.

When using cloud-managed database services, refer to the key management guidelines provided by the offering.

For example, the reference deployment on AWS uses Amazon Relational Database Service (Amazon RDS) encrypted PostgreSQL DB instances.

File/Folder or Field-level Encryption

The operating system or database may offer encryption at the individual folder, file, or even field-level. This provides a highly granular key control, as decryption can be required for every field based on unique keys.

Application Encryption

Applications may be written so that encryption happens before data reaches the aforementioned layers, with keys managed entirely outside the service or system that is storing the data.

Transport Layer Security (TLS)

All ESS services, internally and externally, encrypt data in transit with Transport Layer Security (TLS), using version 1.2 by default.

Important

In production, ESS should run with certificates from an official Certificate Authority (CA) for all external facing services; i.e., OIDC Broker, LDP. Self-signed certificates can be used for internal services.

For example, the reference deployment on AWS provides information on securing external access with Let’s Encrypt TLS certificates, storing the Base64 encoded certificate and key in the AWS SSM Parameter Store. The use of Let’s Encrypt is for illustrative purposes. For production, you should determine a suitable TLS certificate provider for your deployment.