Re: Encrypted Data at Rest

[Jody Bevan via 4D_Tech]

Richard:

Hardware acceleration in the CPU is still not nearly as fast as this task being 
done by the drive controller. All software runs through the CPU. Yes, the CPU 
can support specific types of code which helps. Just like GPUs,  the advanced 
support in the drive controllers makes a big difference. Tim’s explanation 
really highlights why it is faster - good explanation Tim.  

As with all things in 4D and IT, there are vast differences in use and needs. 
Why buy a big server with 24 GB RAM and 2 Terabytes of SSD in RAID 
configuration, and 18 CPUs when there are 20 people connecting - not needed - 
huge waste of money. On the other hand trying to serve a large site with large 
data, and heavy use with a MacMini running FileVault would be a no go. When 
working with large sites with hundreds of people connected and they do ALL 
their work in the system, good hardware, good network, and OS makes a huge 
difference (as well as proven 4D application). This is when pinches in 
throughput really shows. It makes one dig into the details. Reminds me of 
gigabyte switches. Clients would complain that the switches we insisted on were 
way to expensive when they could buy gigabyte switches for 20% of the price. 
Yes each port may be able to support 1 GB throughput, but if the whole device 
only support 2 GB throughput it really is not good for busy sites. The details 
matter at large sites.

The details of performance really matter if your site’s needs require high 
performance. If not - then FileVault2 can be a great solution that makes a lot 
of sense.

Apple backed out of the server world as far as hardware is concerned, but that 
is a whole other topic for those of us that actively supported Apple Servers 
with several hundred Xserves. With a few more important features we could have 
sold several hundred more.

Jody


> On Aug 2, 2017, at 1:59 PM, Richard Wright via 4D_Tech <4d_tech@lists.4d.com> 
> wrote:
> 
> Not sure why you say for personal use only. FileVault supports 256 AES and 
> benefits from hardware acceleration in the CPU. I’ve never done timing 
> comparisons but there are no noticeable performance effects at all. Some 
> people have tested, years ago, and found at most only 2-3% degradation.
> 

**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

RE: Encrypted Data at Rest

[Bruno LEGAY via 4D_Tech]

Hi,

This is an interesting subject...

I would say it depends on what you want to protect from and how deep are your 
pockets...

As people said, it is difficult to encrypt the whole 4D database without 
encryption being supported at the database engine level...
At the moment 4D does not support it.

It is possible to encrypt few fields, but it will then be difficult to search 
on those crypted fields... Decrypting on the fly is ok for targeted purpose but 
not for massive data processing (search, sort, stats, etc...).

For instance, database with people and medical results. One idea would be to 
encrypt the medical result but not encrypt the name, surname, dob information 
(so you can at least search, if authorized, the result of one person).
If you store a pdf of results with name and medical results they need to be 
encrypted as well.

If you wanted to make stats ont the medical data, then you would have to have 
information in "clear" but encrypt the relation between medical data and 
person...

This is just an idea, I don't know if it will hold against certification...

Filesystem/storage level encryption is good for one part of the risks. if 
machine gets stolen, drive is disposed of without being rerased/destroyed...
If you can get away with this, this will be the easiest/cheapest option.

But if a hacker gets into your server (with the same privileges as the owner of 
the datafile), he will be able to copy you data file (and if he is very good he 
will read/extract your data)...
If a hacker is into your server, it means that your network security was not 
that great, that the server configuration/protection was not that great, etc...

Now what about a dishonest/bad/disgruntled employee/admin (or a whistler 
blower)... These things can happen, event to the NSA...

Should the information be accessible to the admin ? the developer ? or just the 
users with correct privileges ?

If you do backups (they will leave the encrypted disk, the machine and the 
building hopefully), you need to encrypt the backup data (7z has an option to 
do AES-256 encryption).

Then there is the question of the keys... Where and how do you store and 
protect the keys ??? 
Hard coded in code ?, in data ? in preference file ? in a Hardware Security 
Module (HSM) ?
The HSM is a kind of very specialized (and very expensive) hardware designed to 
store and protect keys and self-destroy if tempered with... 

S3 is an option. Communication to S3 is secure (https). 
Storage can be done encrypted with AES-256 (transparently), it is just an 
option at object level. Data is encrypted before being written to disk and 
decrypted on the fly when you try to read it (all transparent). Amazon cannot 
read your data (it is encrypted with your secret key).
I read that NSA was suspected to have planted a "system" (with the help of 
Amazon ?) between the  ssl tunnel exit and before the encryption... But that's 
it.
If you don't trust amazon/nsa, you can encrypt before sending.

Finally, Oracle has a concept of "Transparent Data Encryption" since few years 
(11g).
Maybe if you really need this, store your data on Oracle.

HTH





**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: Encrypted Data at Rest

[Tim Nevels via 4D_Tech]

On Aug 2, 2017, at 7:35 PM,Richard Wright wrote:

> Not sure why you say for personal use only. FileVault supports 256 AES and 
> benefits from hardware acceleration in the CPU. I’ve never done timing 
> comparisons but there are no noticeable performance effects at all. Some 
> people have tested, years ago, and found at most only 2-3% degradation.

That sounds fantastic. I had no idea it was so good. And it’s free!

From what you say it sounds like it is ready for use in any and all situations 
where you need to encrypt data on macOS. 

Tim


Tim Nevels
Innovative Solutions
785-749-3444
timnev...@mac.com


**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: Encrypted Data at Rest

[Richard Wright via 4D_Tech]

Not sure why you say for personal use only. FileVault supports 256 AES and 
benefits from hardware acceleration in the CPU. I’ve never done timing 
comparisons but there are no noticeable performance effects at all. Some people 
have tested, years ago, and found at most only 2-3% degradation.


> Date: Wed, 02 Aug 2017 13:21:09 -0500
> From: Tim Nevels 
> 
> On Aug 2, 2017, at 12:51 PM,Chip Scheide wrote:
> 
>> depending on the computer system.
>> This is built into (software) OS X it is called 'FileVault'.
>> I believe that Windows 7+ has a similar feature, but this might not be 
>> true at all, or only for newer (8 and or 10).
>> 
>> I do not have explicit experience (I'm sure Jody does), i would expect 
>> there to be some performance hit with Filevault, as it is software.
> 
> Remember that what Jody is talking about the encryption is handled in 
> hardware by the drive controller so performance hit is negligible as they 
> say. Don’t confuse the issue by including consumer level software encryption 
> like FileVault. FileVault is for personal use only.
> 
> Just making the point for any amateurs out there reading this thread. The 
> people running 4D Server on a Mac Mini and they think “I’ll be more secure 
> and put my data file in FileVault." Yeah, it should work. But I think you 
> would be hard pressed to find anyone that would recommend doing that. 
> 
> And also keep in mind that drive level encryption has no impact on database 
> performance when you are accessing the data cache. No encryption of the data 
> cache and memory. So the negligible decryption performance hit only impacts 
> the first read from disk to load the data cache. And there is a negligible 
> encryption performance hit when writing to disk. But that only happens when 
> the cache is flushed. And the flush happens in a separate thread on a 
> separate core on 4D Server. So that makes it super negligible.
> 
> Tim
> 
> 
> Tim Nevels
> Innovative Solutions
> 785-749-3444
> timnev...@mac.com
> 

**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: Encrypted Data at Rest

[Milan Adamov via 4D_Tech]

FileVault 2, or just FileVault since Mountain Lion, is drive level encryption.

Milan

Sent from my iPad

> On Aug 2, 2017, at 21:21, Tim Nevels via 4D_Tech <4d_tech@lists.4d.com> wrote:
> 
>> On Aug 2, 2017, at 12:51 PM,Chip Scheide wrote:
>> 
>> depending on the computer system.
>> This is built into (software) OS X it is called 'FileVault'.
>> I believe that Windows 7+ has a similar feature, but this might not be 
>> true at all, or only for newer (8 and or 10).
>> 
>> I do not have explicit experience (I'm sure Jody does), i would expect 
>> there to be some performance hit with Filevault, as it is software.
> 
> Remember that what Jody is talking about the encryption is handled in 
> hardware by the drive controller so performance hit is negligible as they 
> say. Don’t confuse the issue by including consumer level software encryption 
> like FileVault. FileVault is for personal use only.
> 
> Just making the point for any amateurs out there reading this thread. The 
> people running 4D Server on a Mac Mini and they think “I’ll be more secure 
> and put my data file in FileVault." Yeah, it should work. But I think you 
> would be hard pressed to find anyone that would recommend doing that. 
> 
> And also keep in mind that drive level encryption has no impact on database 
> performance when you are accessing the data cache. No encryption of the data 
> cache and memory. So the negligible decryption performance hit only impacts 
> the first read from disk to load the data cache. And there is a negligible 
> encryption performance hit when writing to disk. But that only happens when 
> the cache is flushed. And the flush happens in a separate thread on a 
> separate core on 4D Server. So that makes it super negligible.
> 
> 
**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

RE: Encrypted Data at Rest

[Tim Nevels via 4D_Tech]

On Aug 2, 2017, at 12:51 PM,Chip Scheide wrote:

> depending on the computer system.
> This is built into (software) OS X it is called 'FileVault'.
> I believe that Windows 7+ has a similar feature, but this might not be 
> true at all, or only for newer (8 and or 10).
> 
> I do not have explicit experience (I'm sure Jody does), i would expect 
> there to be some performance hit with Filevault, as it is software.

Remember that what Jody is talking about the encryption is handled in hardware 
by the drive controller so performance hit is negligible as they say. Don’t 
confuse the issue by including consumer level software encryption like 
FileVault. FileVault is for personal use only.

Just making the point for any amateurs out there reading this thread. The 
people running 4D Server on a Mac Mini and they think “I’ll be more secure and 
put my data file in FileVault." Yeah, it should work. But I think you would be 
hard pressed to find anyone that would recommend doing that. 

And also keep in mind that drive level encryption has no impact on database 
performance when you are accessing the data cache. No encryption of the data 
cache and memory. So the negligible decryption performance hit only impacts the 
first read from disk to load the data cache. And there is a negligible 
encryption performance hit when writing to disk. But that only happens when the 
cache is flushed. And the flush happens in a separate thread on a separate core 
on 4D Server. So that makes it super negligible.

Tim


Tim Nevels
Innovative Solutions
785-749-3444
timnev...@mac.com


**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

RE: Encrypted Data at Rest

[Justin Will via 4D_Tech]

I don't believe that FileVault and Windows built in encryption is sufficient 
enough.  I need to comply with NIST Special Publication 800-57.  I believe it 
will have to be hardware based with some sort of special key management.  
Honestly it's all pretty foreign to me.

Justin

**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: Encrypted Data at Rest

[Keith Culotta via 4D_Tech]

FileVault 2 was a big improvement over Apple's first attempt.
This link describes the performance impact:
http://osxdaily.com/2011/08/10/filevault-2-benchmarks-disk-encryption-faster-mac-os-x-lion/

Keith - CDI


> On Aug 2, 2017, at 12:47 PM, Jody Bevan via 4D_Tech <4d_tech@lists.4d.com> 
> wrote:
> 
> Chip:
> 
> Even longer than the hardware/firmware solutions there has been software to 
> do this. The performance hit is substantial though. I remember testing out a 
> software solution about 15 years ago with a compiled standalone version of 
> our application. Essentially with these they intercept the writing to the 
> hard drive for certain applications so that you do not have to do this for 
> all applications. It was substantially slower. Of course that was 15 years 
> ago, so this could have speeded up since then, especially with SSD. Still 
> though the hardware/firmware solution I could not see a difference in 
> performance between with it and without it.
> 
> Jody
> 
> 
>> On Aug 2, 2017, at 9:07 AM, Chip Scheide via 4D_Tech <4d_tech@lists.4d.com> 
>> wrote:
>> 
>> depending on the computer system.
>> This is built into (software) OS X it is called 'FileVault'.
>> I believe that Windows 7+ has a similar feature, but this might not be 
>> true at all, or only for newer (8 and or 10).
>> 
>> I do not have explicit experience (I'm sure Jody does), i would expect 
>> there to be some performance hit with Filevault, as it is software.
>> 
>> 
>> her is a link to an ARsTechnica thread about SSD encryption
>> https://arstechnica.com/civis/viewtopic.php?t=1243475
>> 

**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: Encrypted Data at Rest

[Jody Bevan via 4D_Tech]

Chip:

Even longer than the hardware/firmware solutions there has been software to do 
this. The performance hit is substantial though. I remember testing out a 
software solution about 15 years ago with a compiled standalone version of our 
application. Essentially with these they intercept the writing to the hard 
drive for certain applications so that you do not have to do this for all 
applications. It was substantially slower. Of course that was 15 years ago, so 
this could have speeded up since then, especially with SSD. Still though the 
hardware/firmware solution I could not see a difference in performance between 
with it and without it.

Jody


> On Aug 2, 2017, at 9:07 AM, Chip Scheide via 4D_Tech <4d_tech@lists.4d.com> 
> wrote:
> 
> depending on the computer system.
> This is built into (software) OS X it is called 'FileVault'.
> I believe that Windows 7+ has a similar feature, but this might not be 
> true at all, or only for newer (8 and or 10).
> 
> I do not have explicit experience (I'm sure Jody does), i would expect 
> there to be some performance hit with Filevault, as it is software.
> 
> 
> her is a link to an ARsTechnica thread about SSD encryption
> https://arstechnica.com/civis/viewtopic.php?t=1243475
> 

**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

RE: Encrypted Data at Rest

[Chip Scheide via 4D_Tech]

depending on the computer system.
This is built into (software) OS X it is called 'FileVault'.
I believe that Windows 7+ has a similar feature, but this might not be 
true at all, or only for newer (8 and or 10).

I do not have explicit experience (I'm sure Jody does), i would expect 
there to be some performance hit with Filevault, as it is software.


her is a link to an ARsTechnica thread about SSD encryption
https://arstechnica.com/civis/viewtopic.php?t=1243475

On Wed, 2 Aug 2017 14:50:24 +, Justin Will via 4D_Tech wrote:
> Jody,
> 
> Do you have a recommendation on a controller that does this well?
> 
> Thanks
> Justin
> **
> 4D Internet Users Group (4D iNUG)
> FAQ:  http://lists.4d.com/faqnug.html
> Archive:  http://lists.4d.com/archives.html
> Options: http://lists.4d.com/mailman/options/4d_tech
> Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
> **
---
Gas is for washing parts
Alcohol is for drinkin'
Nitromethane is for racing 
**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: Encrypted Data at Rest

[Jody Bevan via 4D_Tech]

Justin:

That is a requirement of Health Care Systems in Canada for more than 15 years. 
It is actually a good idea. Fortunately there is an ‘easy’ way to do it and it 
does not take once ounce of programming (not good for billable hours). The 
clients purchase the drive controllers and drives (if using existing servers) 
that encrypt all data on the drive. All servers we purchase now, have this 
hardware feature in them. This works with SSDs as well.

The speed is such that there even large sites do not notice a reduction of 
performance of the system.


Jody Bevan
ARGUS Productions Inc.
Developer

Argus Productions Inc. 


> On Aug 2, 2017, at 8:22 AM, Justin Will via 4D_Tech <4d_tech@lists.4d.com> 
> wrote:
> 
> I have had a request to have a system have all data at rest encrypted.  My 
> understanding is that they actually want the 4D datafile and backups 
> encrypted at all times.  Have others had to deal with this and if so what 
> options did you find available and what did you choose as your solution?
> 
> Thanks
> Justin Will

**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

RE: Encrypted Data at Rest

[Dennis, Neil via 4D_Tech]

>  Have others had to deal with this and if so what options did you find 
> available and what did you choose as your solution?

The easiest is to turn on the drive encryption. However I also selectively 
encrypt more sensitive information so it is double encrypted.

Neil










Privacy Disclaimer: This message contains confidential information and is 
intended only for the named addressee. If you are not the named addressee you 
should not disseminate, distribute or copy this email. Please delete this email 
from your system and notify the sender immediately by replying to this email.  
If you are not the intended recipient you are notified that disclosing, 
copying, distributing or taking any action in reliance on the contents of this 
information is strictly prohibited.

The Alternative Investments division of UMB Fund Services provides a full range 
of services to hedge funds, funds of funds and private equity funds.  Any tax 
advice in this communication is not intended to be used, and cannot be used, by 
a client or any other person or entity for the purpose of (a) avoiding 
penalties that may be imposed on any taxpayer or (b) promoting, marketing, or 
recommending to another party any matter addressed herein.
**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**