Encryption-at-rest FAQ
Sueann See
Experian Super Contributor
Since release 2.4.5, you can turn on a new security setting at Settings>Security, Encryption to encrypt Data Studio resources.
Here are some FAQs:
- What does resources include? Resources refers primarily to files in \data\resource folder and typically includes the imported datasets, snapshots and some cache files.
- Do I need to restart the server for the changes to take effect? No, you do not need to restart the server for encryption to take effect. It will be turned on as soon as you toggle on and save the security settings.
- What algorithm is being used for the encryption? AES-256
- Is it possible to manage the encryption key? (e.g. rotating key) No, not at the moment.
- Will historical resources be encrypted? No, the changes will only apply to new resources. As an example, if you have an existing multi-batch dataset, the batches loaded after encryption is turned on will be encrypted.
- Do we have any statistics on the performance impact when encryption is turned on? At a high level, encryption adds a 20% hit when compression is off and about 10% hit when compression is on. However, this does not mean you should turn on compression. Turning off compression generally improves performance regardless of whether you use encryption or not. Performance also depends on the complexity of the workflows. Workflows involving heavy sorting and grouping will likely see the most impact. You may want to consider turning on full record sorting for workflows involving heavy sorting.
- How does this impact backups? Backups should be unchanged. The encrypted files are backed up like the other encrypted ones.
- How does this impact Data Studio upgrades? There is no impact. Encryption settings will remain as prior to upgrade.
- Is it recommended to turn on this setting? It is generally recommended as an additional security control. However, this would also depend on your risk appetite, the kind of data they are loading into Data Studio and whether the trade off with performance can be accepted. You may have already implemented encryption at the disk level. Additionally, the precise nature of the data is obfuscated through a combination of minification and field value pairing using proprietary methods making it not fully readable to anyone with direct access to the server.
We will continue to make further improvements in this area.
Tagged:
0