1

Google CloudSQL documentation states that the data is encrypted in transit and at rest.

I'm using pgcrypto in a Django app to encrypt sensitive information. However I'm wondering if there's any point in doing this since it's already encrypted at rest. The only thing I can imagine is an event where the Google App Engine server with the deployed code gets compromised and the password to the database is somehow leaked - the hackers would eventually have access to unencrypted data as they 'read' it in. But then even with pgcrypto, in the event the GAE server is compromised, they'd still be able to run code to fetch unencrypted data.

Am I overthinking this? The goal is to provide total piece of mind to the end-user with as many 'hurdles' introduced as possible to ensure their data stays completely secure. I have a feeling I don't really need pgcrypto, but looking for an educated reply.

strangetimes
  • 4,953
  • 1
  • 34
  • 62
  • I think the case you described could warrant encrypting your data. Without knowing about your application it would provide peace of mind to your users to know that even you cannot access their data. – Sebastian Smolorz May 27 '17 at 13:11
  • That's true, however pgcrypto would give me symmetric encryption, which means I'm still able to read and access the data (not directly, but indirectly via running my code and then decrypting it on the fly - this applies to all apps using symmetric-key encryption). With CloudSQL's built-in encryption, I can of course read the data in plain text using any SQL database viewer (but still require the database password). I have a feeling pgcrypto will have its benefits, not sure what others do. – strangetimes May 27 '17 at 13:22

1 Answers1

2

The rather educated answer is: Yes.

Underlying encryption offered by CloudSQL is like FileVault offered by OS X - your stuff truly is encrypted, but if you're logged in, everything is world-readable to you.

The main worry is that you, or someone who is able to compromise your server, is able to read data in plain-text. Data needs to to be encrypted, and I've personally gone beyond the default AES 128-bit offered by most databases and switched to AES 256-bit with initialisation vector (a different one for each encrypted content). This will ensure that the data is encrypted, inaccessible and unreadable by even yourself. Yes, your code is eventually able to decrypt but storing and protecting the decryption keys is a different topic altogether.

strangetimes
  • 4,953
  • 1
  • 34
  • 62