0

Data can have 3 states (in transit, in use and at rest). I know that for Windows Server, common methods of encryption are:

In Transit = IPSEC

In Use = ???

At Rest = BitLocker

Is it possible to encrypt data that is in use (i.e. in the CPU and memory)? If so, how?

Techboy
  • 1,550
  • 7
  • 31
  • 49

2 Answers2

2

Is your application able to view, process, and modify encrypted data directly? If not, then encrypting data "in use" is a non-starter. There's a reason that regulatory bodies only speak to transit and rest encryption - aside from a very few incredibly specialized applications, data must be decrypted in CPU and Memory for the system to do anything with it.

What are you trying to protect against with this requirement?

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • The application would be SAP (GUI and web services), these cannot view, process or modify encrypted data directly. I was wondering if software within the OS would handle this on behalf of the application. I am currently working for a client who is asking about this level of encryption. Thank you for your quick and clear answer :-) – Techboy May 24 '17 at 13:57
  • 2
    OK, if the application cannot process encrypted data, then the data *must* exist in the CPU and RAM unencrypted, which would make "encryption in use" impossible to achieve. :) – EEAA May 24 '17 at 13:58
2

I don't know if there's any native support for it, but that sounds like homomorphic encryption. This method of encryption allows a system to work on encrypted data without actually decrypting it. The system applies an operation (addition, for example) on ciphertext and that operation passes through meaningfully to the encrypted plaintext without decrypting it. This is of considerable interest to customers of data centers since it allows their data to be manipulated by data center servers while remaining confidential in the event of a data breach, which kind of sounds like the feature your client is asking about.

user143311
  • 41
  • 1