Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 9 Apr 2020 23:57:32 -0400
From:      Aryeh Friedman <aryeh.friedman@gmail.com>
To:        "Kudiwu, Grace S. (Prosphere)" <Grace.Kudiwu@va.gov>
Cc:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: Encryption at rest/in transit
Message-ID:  <CAGBxaX=M%2BJ9Z0=_hhFuPFpzZhr--4Mgbd-uAUkcD-g3yi%2BravA@mail.gmail.com>
In-Reply-To: <DM6PR09MB306626341FA611BD7A3191FFF0DE0@DM6PR09MB3066.namprd09.prod.outlook.com>
References:  <DM6PR09MB306626341FA611BD7A3191FFF0DE0@DM6PR09MB3066.namprd09.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Apr 9, 2020 at 11:41 PM Kudiwu, Grace S. (Prosphere) via
freebsd-questions <freebsd-questions@freebsd.org> wrote:

> How does FreeBSD handle encryption of data at rest and data in transit?
>

Speaking as some who builds HIPAA complaint (requires end-to-end encryption
by law) software on FreeBSD I will say the following in regards to your
question:

1. Encryption is not, per se, an OS issue for the most part it is how you
make your application and the transport mechanisms you use.  For example if
you are not using TLS/SSL then no matter how the OS stores data the
transport is not encrypted and no feature of the OS can change that fact.
Conversely if you using TLS/SSL then the transport is encrypted regardless
of the OS

2. FreeBSD does support encrypted drives but this should *NOT* be
considered encrypt at rest because it only protects the data from physical
theft and reading on a different system then it was created on (and
depending on configuration makes it so you must know a password to
successfully boot the machine [not a good idea for data center based
servers]).

3. Due to item three you should use application level encryption on
storage.   Very few applications truly support this for example no widely
DB that I know of supports record/table level encryption.   Field
encryption is not the same since it allows someone to see the scheme and
the first rule of good security is give the attacker as little information
as possible.

-- 
Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGBxaX=M%2BJ9Z0=_hhFuPFpzZhr--4Mgbd-uAUkcD-g3yi%2BravA>