encryption at db/table level

vcarusi

Hi,
Is it possible to have entire db encrypted ? or a table?
What I read regards only a specific column (varchar).
Is there any documentation regarding this?
Thank you!

mosheg

1) Vertica provides functions to encrypt and decrypt data using Voltage SecureData.
Some of its advantages:
A. The encrypted values have the same overall format as the unencrypted data, so you do not have to change the data types of table columns that you want to encrypt.
B. The encrypted values have the same sort order as unencrypted data, and encrypted values can be cross-referenced between tables, as long as each instance of the value is encrypted with the same key.
See: https://www.vertica.com/docs/10.0.x/HTML/Content/Authoring/VoltageIntegration/HowVerticaAndSecureDataWorkTogether.htm

2) Vertica Extension Encryption Package, an opensource Github package, contains encryption functions for Vertica.
Provided here:
https://github.com/vertica/Vertica-Extension-Packages/tree/master/encryption_package

3) For HW encryption at rest one can use the Linux Unified Key Setup (LUKS) which is a disk encryption specification created by Clemens Fruhwirth. The reference implementation for LUKS operates on Linux and is based on an enhanced version of cryptsetup, using dm-crypt as the disk encryption backend.
LUKS format is the default implementation of block device encryption in RHEL.
See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening

4) See also the answers here:
https://forum.vertica.com/discussion/223189/does-vertica-support-storage-level-encryption-for-data

vcarusi

Thank you for documentation.
The answers seems to be:

• Is it possible to have entire db encrypted? yes, at disk or file level
• Is it possible to have a table encrypted ? if all columns are encrypted, one by one.
  What about date/numeric datatypes, can they be encrypted?
  Thank you!

mosheg

What about date/numeric datatypes, can they be encrypted?
For Voltage SecureData encryption, the VoltageSecureProtect function only encrypts VARCHAR values. If you need to encrypt other data types, such as DATE or INTEGER, you must cast these values to VARCHAR in your function call.
The same for decrypting, you must cast any non-VARCHAR columns to VARCHAR when calling VoltageSecureAccess.
Examples are shown here: https://www.vertica.com/docs/10.0.x/HTML/Content/Authoring/VoltageIntegration/EncryptingAndDecryptingDataUsingVoltageSecureProtect.htm
See also examples and benchmark for the Github Encryption Package: https://github.com/vertica/Vertica-Extension-Packages
Here: https://www.vertica.com/blog/gdpr-ready-recipe/