By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How to use client side encryption for Postgres in a way that only the end user have access to their data?

0

I have an App running on a cloud which stores data in a PostgreSQL. Since this App is aimed to be used by various different clients, I need a way to guarantee to them that they are the only ones that have access to their respective data, even when I am the one who manages the cloud services. The only way I found that this could be achieved is by means of client side encryption (please correct me if I am wrong).

I couldn't find information about achieve this goal with keys been stored locally (in the client). which service of AWS should I use in order to achieve my goal? Thanks

asked 6 months ago221 views
1 Answer
0

Hi,

The AWS Database Encryption SDK seems provide what you ask for:

Working with multitenant databases

With the AWS Database Encryption SDK, you can configure client-side encryption for 
databases with a shared schema by isolating each tenant with distinct encryption materials. 
When considering a multitenant database, take some time to review your security requirements 
and how multitenancy might impact them. For example, using a multitenant database might 
impact your ability to combine the AWS Database Encryption SDK with another server-side encryption 
solution.

The documentation starting point is here: https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/configure.html#config-multitenant-databases

This blog post implements the solution: https://aws.amazon.com/blogs/database/multi-tenant-data-isolation-with-postgresql-row-level-security/

Best,

Didier

profile pictureAWS
EXPERT
answered 6 months ago
  • Hello, Didier. I do not intent to use multi-tenant database for this project. The solution I am looking for is targeting the isolation of the end user from the cloud service provider, not among the end users themselfs. At the current scenario the referred App works perfecly in the browser and the clients data is saved "directly" in the cloud database without encryption and read without decryption. This way, the part that provides the cloud service have access to the clients data (wich is not allowed for the purpose that the App is used for). I am looking for a black box between the client and the cloud database in order to perform the encryption (before send) and the decryption once received (withoud saving the data in the client machine eather). It is clear to me that this black box could be implemmented in a hardware or software format and that it will reside in client side for each one of them. I am looking to implemment the software format. Some sort of row cryptography with the black box in the middle. I am using PostgreSQL as a database (could pgAdmin help?) Will the solution you suggest fullfill the requirments I presented? Thanks

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions