Encryption
Data encryption
Piiano Vault encrypts data at three levels:
-
Inside Vault, all data is stored encrypted at field level, preventing anyone directly accessing the database, even the database's administrator, from seeing plain data.
-
Data in transit between an application and Vault is protected using TLS. Among others, this includes communication from:
- applications to Piiano Vault
- Piiano Vault to the back-end storage
- Piiano Vault to Amazon S3
-
The Vault database is encrypted at rest (aka disk-level encryption). This is enforced as part of the deployment. This encryption mechanism includes:
- Back-end storage
- Files
- Properties of objects
- Data of value tokens
From an application's perspective, accessing and querying encrypted properties and handling encryption is transparent.
Vault manages key provisioning and rotation for the encryption keys.
Vault doesn't automatically rotate keys or provide for managing key versions, such as deleting key versions. Vault only applies rotated keys to new encryptions; the entire database is not re-encrypted. If this feature is required, either export and import the data or perform a read/write loop over collection objects.
Key management service
Vault relies on a master key to generate encryption keys for property encryption, decryption, data signing, and verification. Use the Amazon Web Services (AWS), Google Cloud Platform (GCP) KMS, or Azure Key Vault to ensure secure property encryption when implementing Vault in a cloud environment. However, if you prefer to manage the keys independently or do not want to rely on a cloud provider, you can provide a seed for generating a secure master key.