Encryption

Table of Contents

Instabase supports client-side encryption for data at rest at the file system layer. Client-side encryption is performed by Instabase on the top of the storage provider (for example, S3). It’s independent from the server-side encryption performed by the storage provider. More details about client-side encryption and server-side encryption can be found in the following sections.

Server-side encryption

Server-side encryption refers to the encryption of data at its destination by the storage provider (for example, S3). The storage provider manages the encryption process and keys. When mounting a new S3 or Google Cloud Storage drive in Instabase, specify the Server-side Encryption Type if server-side encryption is enabled on the storage provider side.

Links to relevant AWS Documentation about server-side encryption for S3:

Protecting data using server-side encryption: https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html
Server-Side Encryption for Google Cloud: https://cloud.google.com/datastore/docs/concepts/encryption-at-rest

Client-side encryption

Client-side encryption is a different form of encryption, and is performed by Instabase. Instabase supports client-side encryption of your files in the Instabase file system, so they are protected while stored at rest in your file storage system.

Client-side encryption process

Instabase uses an envelope encryption process to keep your files secure. Encryption is performed on at-rest data with a locally generated data encryption key (DEK), and then the DEK is encrypted with a 256-bit Advanced Encryption Standard (AES) primary key. The primary key is stored in a key management system, and is provided by the user.

When you write or modify a file, an encrypted payload is constructed before storing the payload at rest. The encrypted payload contains the encryption metadata that is required for decryption.

Each encrypted file payload includes:

The encrypted file contents
The DEK used to encrypt the file contents, encrypted
The ID of the primary key used to encrypt the data encryption key

Using the encryption metadata stored in the payload, decrypt can be performed on any previously encrypted file, as long as the primary key has not been deleted. This brings us to the next section - how primary keys should be managed and how Instabase uses them.

Instabase uses CTR, an AES block cipher mode, to perform client-side encryption. CTR uses the DEK and a counter to encrypt each block of the data via AES-256. The counter increments when encrypting the blocks. This allows encrypting a file by chunks to avoid too much memory consumption.

Primary key management

You must mount your own key management system to store the primary encryption keys. Instabase supports only AWS Key Management Service (KMS) as a valid key management system.

Note

Instabase does not manage or store your primary encryption keys. Be sure to use and follow your organization security best practices to ensure encryption is paired with strong key management.

You are responsible for creating and managing all primary keys in the key management system. Instabase syncs the primary key IDs from the key management system to request the key management system to encrypt or decrypt DEKs with the specified primary key.

Warning

Instabase recommends that you never delete a primary key that has been used for encryption. If a primary key has been deleted from the key management system, you cannot recover any files encrypted with that key.

Primary key rotation

A designated primary key is required for Instabase to perform encryption on your files. However, to mitigate the effects of a key compromise, you can rotate your primary key.

Note

The encryption settings are available in the platform UI only if configured in your deployment.

Navigate to Admin > Site Settings > Encryption.

When you rotate your primary key, any files that are created or modified going forward are encrypted under the new primary key. All of the previously encrypted files are not automatically re-encrypted, but can still be decrypted with the old primary key.

Enable file storage encryption

Prepare, configure, and enable encryption in Instabase deployments.

Prerequisites

Your environment must meet these prerequisites before you can enable encryption for Instabase deployments.

File storage

Provide a fresh file storage volume for your encrypted data. We strongly recommend that you store encrypted and unencrypted data on separate storage drives.
Key Management System (KMS)

You must set up a key management system to mount on Instabase. Only AWS Key Management Service is supported.
You must create a primary key.

This must be done in your key management system.

For AWS KMS, you can refer to the following docs for creating a symmetric key:
- Basic AWS KMS terms and concepts: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
- Creating KMS keys: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
KMS details encryption key

You must provide a 256-bit encryption key for encrypting your KMS provider credentials. This encryption key must be a 32-character length alphanumeric string, like "01234567890123456789abcdeabcde01".

Configurations for enabling encryption

To configure your Instabase deployment to enable encryption, ensure these environment variables are set:

"enable_client_side_encryption": true,

ENABLE_CLIENT_SIDE_ENCRYPTION should be set in webapp, api-server, api-server-apps, and apps-server.

"kms_details_encryption_key_256_bit": <insert_key>

KMS_DETAILS_ENCRYPTION_KEY_256_BIT should be set in grpc-file-service.

Mount AWS Key Management Service

Finally, you must grant Instabase permission to access your key management system. You can do this by mounting your key management system at Admin > Site settings > Encryption under Set KMS Provider Details.

NOTE: If you are using AWS to host your Instabase Kubernetes cluster, you can use IAM roles to grant your Instabase instance permission to access AWS Key Management Service.

To grant access, ensure that the role provisioned to your Instabase worker nodes has access to DescribeKey, Encrypt, and Decrypt in the AWS KMS policy.
If you use IAM roles, enter your AWS region and select Don’t use AWS Access Credentials.

Example policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow access to KMS Keys for Instabase Client Side Encryption",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:DescribeKey"
            ],
            "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
        }
    ]
}

If you intend to use IAM roles, you must ensure you properly attach the policy to your IAM role, and IAM Role to the EKS instance. See the Amazon EKS documentation for additional information.

Alternatively, you can directly input your AWS Access Credentials. Your access credentials are encrypted.

Mount the encrypted drive

You are now ready to mount your new file storage volume as an encrypted drive. You can do this by navigating to a workspace and selecting the New Drive button. In the drive details modal, set the Encryption Type to be KMS Encryption. Any data written to this drive is now encrypted before being stored to the filesystem.

Note

Encryption can slow file read and write operations. From benchmarking on an S3 drive with 10 concurrent requests, on average, read operations are 2.5x slower and write operations are 14 percent slower. For example, a 10ms read operation takes 25ms, and a 10ms write operation takes 11.4ms.