Data Encryption
Data encryption is used to protect data in transit and data at rest. It secures applications and sensitive information from reputational damage when there is a data breach. In U-Assist, the data is protected both in transit and at rest.
Data in transit
Data in transit is data actively moving between different components of services. Data protection in transit is the encryption of data at transport layer level using TLS 1.2.
Communication between Apache Kafka/Redis and services (third-party, U-Assist, NLP and platform) are protected at transport layer level using TLS 1.2.
Communication between database (Postgres SQL/Mongo) and services are performed through HTTPS protocol and protected at transport layer level using TLS 1.2.
Currently, TLS 1.2 uses self-signed certificates for all the secure communications. However, it also supports client provided private and public keys (signed certificate).
RSA algorithm is used for data encryption and decryption. It is an asymmetric cryptography algorithm where asymmetric means that it works on two different keys i.e. Public Key and Private Key. As the names suggest, the Public Key is given to everyone, and the Private key is kept private.
A client (for example, a browser) sends its public key to the server and requests for some data.
The server encrypts the data using client’s public key and sends the encrypted data.
Client receives this data and decrypts it using its private key.
Data at rest
Data at rest is data stored on a storage medium in any digital form and is protected by encryption at disk/storage level.
Disk encryption:
In U-Assist, disk Encryption is required for the services that persist data (data at rest) on the local volumes. The following are the services that require disk encryption.
PostgreSQL
MongoDB