Read to learn more about RavenDB database security encryption at rest and in transit, as well key management.
Join the DZone community and get the full member experience. With cybercrime estimated to have cost the global economy over one trillion USD in 2020, database security has never been more relevant. To properly secure a database, data must be protected both in transit between server and node, and at rest on the server. Encryption at rest protects the data stored on the server, preventing it from being viewed, stolen, or otherwise accessed by someone with malicious intent. If your disk is lost or stolen, for example, an attacker will have complete access to your data. When encrypted, however, the data will be unreadable and the attacker will see it only as random noise. A common problem with database security is that it can become too complicated to understand and implement. As a result, it’s often put off, forgotten, or abandoned completely. RavenDB’s solution is to take care of security behind the scenes, requiring only a few clicks from the user on setup to completely secure the database. (Of course, as with most things in RavenDB, you have the option to get more hands-on if you wish.) RavenDB uses an authenticated encryption scheme called XChaCha20Poly1305 with a 256-bit key. The details of XChaCha20Poly1305 are well beyond the scope of this article, but the important things to know are that it does its job extremely well, it has been thoroughly vetted by industry experts, and it is standardized by the IETF ( Internet Engineering Task Force). Data is encrypted at the lowest possible layer – the storage layer – using RavenDBs own custom-made storage engine; Voron. Encryption at this layer is completely transparent to other levels of the server, meaning you never have to deal with its complexities. Another advantage of performing encryption at this layer is that it’s much faster, which helps offset the inherent performance cost of encryption. There wouldn’t be much point in having an encrypted database if it transferred data in an unencrypted form for the whole world to see. To avoid this misstep, RavenDB requires you to have authentication and HTTPS enabled to create an encrypted database. The good news is authentication and HTTPS are set up automatically when you select secure mode in the RavenDB setup wizard. If you wish to set up authentication your own way you can do so by following the instructions available here. Once in secure mode, you can create an encrypted database using the studio as shown in the image below, or manually using the REST API and Client API.
