0

For PII, we have to encrypt some columns in our DB(All of our infra resides on our own DC, not using any cloud provider).

Now roughly what we are doing is

  • Created a CMK at AWS.
  • Generate Data Key using CMK
  • Store the encrypted key in DB
  • For every request, we decrypt the encrypted data key via AWS and got the plaintext data key.(We basically do not do it for every request, we cache it for some time in memory due to costing/performance issues)
  • We have created our own encryption library(Using AES-256 with CBC with random IV / random salt for every request)
  • Then using the plaintext data key, we call the AES library to encrypt/decrypt.

Now I have few questions

  1. a) How many different data keys we need to create? I mean whether it should be different for every column / different for every calling service / team?

  2. Is AES-256 with CBC (Random SALT/Random IV for every request) fine for our use case or do I need to use AES with GCM?

  3. Do I need to rotate Data keys?

Ankit Bansal
  • 157
  • 1
  • 9

1 Answers1

0

We cannot know the answers. It depends completely on your use case, of which you have explained very little.

Some considerations:

  1. How many data key do you need to create? As many as you have different access permissions. For example: if group1 has access to col1, col2, col3 and group2 has access to col1,col4,col5 you would need 3 data keys (one for col1, one for col2/3 and one for col4/5). If you want to be real flexible, for example because your organisation frequently reorganizes, you may choose to use more keys, for example one per column.

  2. I'd go for GCM, for the following reasons:

  • performance
  • CBC is less secure (f.e. padding attacks)
  • I've always liked Evariste Galois
  1. That depends too much on your application. For very large databases that contain many years of historical data, key rotation is often impractical. For small databases were the data value is limited in time, you could.
Ljm Dullaart
  • 1,897
  • 4
  • 11