Gateway-side encryption

This guide describes how you can configure Orchesto to encrypt object data.

Overview

Orchesto can be configured to automatically encrypt object data before it is sent to the upstream backend for storage. When the object data is retrieved from the backend, Orchesto will automatically decrypt it before returning it to the client.

This method of encryption is referred to as Gateway-Side Encryption (GSE) and differs from Server-Side Encryption (SSE) primarily in that the object data is encrypted before it is sent to the backend.

The aspect of being in full control of the encryption keys, directly from the point when Orchesto receives the object, provides the data owner with enhanced security compared to using Server-Side Encryption.

Tip

Orchesto uses AES256-GCM when encrypting the object's data. As with SSE, the object's metadata are not encrypted.

Configuring a Key Management Service

To use Gateway-Side Encryption, Orchesto must be configured with a supported Key Management Service (KMS).

Orchesto supports the following KMS providers:

  • Orchesto KMS
  • HashiCorp Vault

A KMS can be added either via the management console or the Orchesto API.

It is recommended that a descriptive ID is used when adding a KMS, as this information is stored with each encrypted object and can be useful in disaster recovery situations.

While multiple KMS's may be configured, only one KMS can be active at any time. The active KMS is the KMS which is used to generate keys for encrypting objects.

Warning

It is important to note that the KMS which was used to encrypt an object must remain added to Orchesto for Orchesto to be able to automatically decrypt the object when it is fetched from a backend.

Orchesto KMS

Orchesto offers a simple KMS "out of the box". The Orchesto KMS requires an RSA key to be provided which will act as the master key. Each time a new key is uploaded for the KMS, the current master key is rotated and the newly uploaded key becomes the active master key.

Uploaded master keys are stored in the Orchesto configuration. It is critically important that backups of the master keys are created, as in the event the event the master key is lost, all objects which were encrypted at the time the particular master key was active will be unable to be decrypted.

Enabling Encryption for a Bucket

Once a KMS has been configured, encryption can be enabled for a bucket. Either the management console or the Orchesto API can be used to toggle a buckets encryption status.

Once encryption is enabled for a bucket, all new uploads to the bucket will be encrypted. Objects which were uploaded to the bucket before encryption was enabled will continue to be accessible and remain unencrypted.

Note

Multipart uploads which started before encryption was enabled will not be encrypted.

When encryption is disabled for a bucket, all new uploads to this bucket will not be encrypted. The objects which were uploaded to the bucket while encryption was enabled will remain encrypted and will be automatically decrypted by Orchesto when downloaded.

Note

Multipart uploads which started before encryption was disabled will be encrypted.

Tip

As mentioned in Configuring a Key Management Service (see above), the KMS which was active at the time the object was uploaded must remain configured within Orchesto for the object to be automatically decrypted on download. If the KMS is removed from Orchesto, it will need to be re-added with the same configuration (ID, etc.) before automatic decryption can occur again.

Encryption Managed by Governance Policies

However, even in situations when bucket-level encryption is not enabled, an object can still be encrypted prior to upstream placement. This occurs when a Governance Policy is in effect which identifies that the object should be subjected to secure handling. The evaluation whether or not a governance policy should be applied to an incoming object takes place in the background. Once a governance policy has been activated, no user involvement will be required.

Hence, a backing bucket in Orchesto can contain a mix of clear text and encrypted objects. Orchesto will keep track of their status and, provided that the encryption keys have not been removed, Orchesto will automatically manage encryption / decryption.

Note

The governance policies are defined in The Central and not in Orchesto. The Central is an Enterprise tool that supports management in situations when several Orchestos are deployed. It provides users with an overview of deployed Orchestos, consolidated metrics and an interface for governance policies.