Encryption for Data in transit depends on SSL (Secure Socket Layer) which insures that there is a secure connection between a client and our server through the checking of a certificate. This ensures that the connection over the public internet is secure.
Encryption on S3 for attachments only done using by:
When we are sending the data to server, the server decrypt (using a key) from base64 code to our S3 bucket folder address
When we are getting the data from server , the server encrypt (using same key) it first from S3 bucket folder address to base64 & then send data to front-end
Application level encryption is required as well as defend against other common forms of attack (think XSS or noSQL injection) because:
Given MongoDB's flexible schema, data-at-rest encryption is a conceptually straightforward change: replace plaintext data in a document with encrypted data.
Why application-level encryption?
Encryption at the application level is independent of the server and network stack. The application layer is in complete control. Keys are always in the application layer, and separate from the data layer. Plaintext information is never stored or transmitted. No part of the data layer can reveal the plaintext values to potential attackers.
Backups and disaster recovery are just as easy with application-level encryption – all current backup mechanisms will work. No matter how verbose the logs, they only contain encrypted data.
By comparison, drive encryption decrypts data after reading from disk. mongodump exports contain unencrypted information. Logs contain plaintext values. Backups and log systems must implement their own encryption to maintain system integrity. With software drive encryption, the key must be accessible to make the drive usable. Usually, the key is in RAM, creating an issue loading the key onto the system in an unattended reboot. Handling of such issues complicates the overall picture and introduces potential leaks.
Note: You must take this online test to complete your job application. Click the button to take the test now or visit your dashboard to take it later. You can also find a link to this test in your registered email address.