MAISON CODE .
/ Tech · Security · Encryption · Cryptography · GDPR

Data Encryption: Privacy by Math

HTTPS is not enough. You need Encryption at Rest and Application-Level Encryption to truly protect PII. Understanding AES, RSA, and KMS.

AB
Alex B.
Data Encryption: Privacy by Math

The Illusion of Safety

“We verify SSL.” Great. Your data is safe while it travels down the fiber optic cable (Encryption in Transit). But where does it land? It lands in a database. Is the database encrypted? If a hacker gets access to the disk user.db, can they read it? If the SysAdmin dumps the database to a CSV, is it readable? If the answer is Yes, you are not secure. Encryption at Rest ensures that the stored data is essentially random noise without the key.

Why Maison Code Discusses This

At Maison Code, we handle user data that falls under strict regulation (GDPR, CCPA, HIPAA). Medical records. Home addresses. A breach here is not just an embarrassment; it is a lawsuit. We implement Zero Trust architectures. We assume the database will be leaked. If it is leaked, we want the data to be useless to the attacker. We talk about this because Cryptography is valid engineering, not magic.

The 3 States of Data

  1. In Transit: Moving over the network.
    • Solution: TLS 1.3 (HTTPS). AWS Certificate Manager.
  2. At Rest: Sitting on a disk (S3, RDS hard drive).
    • Solution: AES-256 Volume Encryption. (AWS KMS).
    • This is transparent. The OS encrypts writes and decrypts reads. If someone steals the physical hard drive, they can’t read it. But if they log into the database as admin, they can read it.
  3. In Use (Application Level): Logic in the RAM.
    • The Hardest Part.
    • Protecting data even from the DB Admin.
    • Solution: Client-Side Encryption. The App encrypts the Credit Card number before sending it to the database. The DB only sees garbage.

KMS (Key Management Systems)

Rule #1 of Crypto: Do not create your own crypto. Rule #2: Do not store the key next to the lock. If you encrypt the DB but store the encryption key in config.js in the same repo… you achieved nothing. Use a KMS (AWS KMS, HashiCorp Vault). The Hardware Security Module (HSM) generates the key and never lets it leave the hardware. Your app asks KMS to “Decrypt this”. KMS validates permission and returns the plaintext. You can audit exactly who decrypted what and when.

Hashing vs Encryption

Encryption is reversible (with a key). Use it for: Addresses, Credit Cards (if you handle them), PII. Hashing is one-way (irreversible). Use it for: Passwords. Never encrypt passwords. Hash them using Argon2 or bcrypt. If you encrypt them, and the key is stolen, all passwords are compromised. If you hash them (salted), the attacker has to crack them one by one.

Implementing Application-Level Encryption

Using Node.js crypto module.

import crypto from 'crypto';

const ALGORITHM = 'aes-256-gcm'; // Authenticated Encryption

function encrypt(text, masterKey) {
  const iv = crypto.randomBytes(16); // Initialization Vector (Random!)
  const cipher = crypto.createCipheriv(ALGORITHM, masterKey, iv);
  
  let encrypted = cipher.update(text, 'utf8', 'hex');
  encrypted += cipher.final('hex');
  const tag = cipher.getAuthTag();
  
  // Store IV and Tag with the ciphertext!
  return {
    content: encrypted,
    iv: iv.toString('hex'),
    tag: tag.toString('hex')
  };
}

Key Rotation: Every year, generate a new master key. Re-encrypt data. This limits the “Blast Radius”. If the 2024 key is stolen, 2025 data is safe.

7. Envelope Encryption: The Holy Grail

If you have 1 Billion Rows, you cannot encrypt them all with the same Master Key. If that key leaks, everything leaks. Solution: Envelope Encryption.

  1. Master Key (CMK): Lives in KMS (HSM). Never leaves.
  2. Data Key (DK): Generated for each user. Encrypted by CMK.
  3. Data: Encrypted by DK. When you want to read User A’s data:
  4. Ask KMS to decrypt User A’s DK (using CMK).
  5. Use the plaintext DK to decrypt User A’s data.
  6. Discard the plaintext DK immediately. This is how AWS S3 and EBS encryption works under the hood. It allows granular access control.

8. FIPS Compliance (GovCloud)

If you work with Government or Healthcare, you hear “FIPS 140-2”. This is a certification for crypto modules. It means “The random number generator is truly random”. Node.js default crypto is not FIPS compliant by default. You must compile Node with --enable-fips. Or use AWS CloudHSM, which is FIPS 140-2 Level 3 certified. Ignorance here is not an excuse for the auditor.

9. The Skeptic’s View

“This ruins performance.” Counter-Point: AES instructions are built into modern CPUs (AES-NI). The overhead is microseconds. DB Latency is milliseconds. Encryption is free (performance-wise). The cost is Complexity (Key Management). Is your user’s privacy worth the complexity? Yes.

FAQ

Q: Symmetric vs Asymmetric? A: Symmetric (AES): Same key encrypts and decrypts. Fast. Good for data at rest. Asymmetric (RSA/ECC): Public Key encrypts, Private Key decrypts. Slow. Good for sharing secrets (TLS handshake). Use AES for DB encryption.

Q: What about Search? A: You cannot search encrypted data easily (WHERE name = 'Alice' fails because ‘Alice’ is stored as x8s7...). Solution: Blind Indexing. Store a hashed version of the name (hash('Alice')) in a separate column. Search that.

10. Quantum Resistance: The Future Threat

RSA-2048 is secure today. In 10 years, a Quantum Computer might crack it in seconds (Shor’s Algorithm). This is “Store Now, Decrypt Later”. Attackers are harvesting encrypted data today, waiting for the tech to decrypt it tomorrow. Defense: Post-Quantum Cryptography (PQC). NIST is standardizing algorithms like Kyber and Dilithium. Maison Code is already experimenting with PQC libraries to future-proof sensitive long-term archives (e.g., Medical Records).

11. Homomorphic Encryption (The Dream)

Imagine asking the cloud: “What is the average salary?” And the cloud calculates it without ever decrypting the salaries. This is Homomorphic Encryption. It allows computation on ciphertext. Enc(5) + Enc(10) = Enc(15). It is currently too slow for production (1000x overhead), but it is the cutting edge of privacy tech. We monitor this space closely.

12. Conclusion

Encryption is the mathematical enforcement of privacy. Without it, privacy is just a promise. Promises are broken. Math is not.

Sensitive Data in Plaintext?

We implement End-to-End Encryption and Key Management (KMS) strategies to protect PII and Intellectual Property. Hire our Architects.