On Mar 13, 2014, at 10:05 AM, Aristedes Maniatis <a...@maniatis.org> wrote:
>> >> Yes, you are exactly right about that. For now planning on using normal java >> keystore facility. Starting the servers will require an admin to enter >> password which will unlock the keystore. There will likely be additional >> security enhancements protecting the keystore. > > Ah, the automatic failover at 3am is going to be fun for some sysadmin :-) Nobody says security is going to be transparent :) For the client in question, we have lots of redundancy. Also we don’t start appservers from /etc/init.d anyways. So everyone is accustomed to (remotely-scripted) manual restarts. >> The important thing is to move all these concerns outside Cayenne, so that >> each org could make their own decisions as to the levels of security >> required. Cayenne will provide an abstract way to do transparent per-column >> crypto. I am thinking of a very simple Cayenne-side “cayenne-crypto” >> Maven/DI module, free of key management code and defining 2 abstract >> services: (1) Cypher - a pluggable encryption mechanism with ability to >> version keys (2) Metadata - telling Cayenne which columns are encrypted. And >> also declaring overrides of RowReaderFactory and other relevant services to >> enable encryption. > > It would be nice public relations to have "Cayenne has out-of-the-box crypto > support" as a feature. Are you storing a key version as part of the encrypted > data stream? I am still working on this piece actually. It has to be attached to the record. The question is whether we keep it unencrypted (simplifies management and migration between keys), or encrypt it together with the data (more secure). Andrus
