New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem: Docs say little re/ privacy & handling private data #2437
Conversation
Solution: Write a new docs page about that
Solution: Create a new docs page, "Production Node Security & Privacy"
Codecov Report
@@ Coverage Diff @@
## master #2437 +/- ##
=======================================
Coverage 88.58% 88.58%
=======================================
Files 40 40
Lines 2312 2312
=======================================
Hits 2048 2048
Misses 264 264 |
#. Everyone with full access to a BigchainDB node (e.g. the sysadmin of a node) can read all the data stored on that node. | ||
#. Everyone given access to a node via the BigchainDB HTTP API can find and read all the data stored by BigchainDB. The list of people with access might be quite short. | ||
#. If the connection between an external user and a BigchainDB node isn’t encrypted (using HTTPS, for example), then a wiretapper can read all HTTP requests and responses in transit. | ||
#. If someone gets access to plaintext (regardless of where they got it), then they can (in principle) share it with the whole world. One can make it difficult for them to do that, e.g. if it is a lot of data and they only get access inside a secure room where they are searched as they leave the room. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this needed? I guess it's implicit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's something that I've noticed people often raise as an issue, so I figured it would be worthwhile to mention it explicitly, lest they think we never thought about it.
docs/root/source/private-data.rst
Outdated
|
||
There are other ways to accomplish the same thing. The above is just one example. | ||
|
||
You might have noticed that the above example didn’t treat the “read permission” as an asset owned (controlled) by a user. The reason is that read permissions must be controlled by DocPile or a document owner, not by the user. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can add,
... because if the permission asset is given to (transferred to or created by) the user then it cannot be controlled any further until the user transfers it back to DocPile.
This setup could be used in an enterprise blockchain scenario where a special node should be able to see parts of the data, but the others should not. | ||
|
||
- The special node generates an X25519 keypair (or similar asymmetric *encryption* keypair). | ||
- A BigchainDB end user finds out the X25519 public key (encryption key) of the special node. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
finds out
can be queries
. just to make it clear that the encryption public key of the node will be published by the node.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to leave it vague (how the end user finds out the key). Maybe they get it from the node via SMS, Slack or fax.
docs/root/source/private-data.rst
Outdated
|
||
- Ed25519 keypairs are designed for signing and verifying cryptographic signatures, `not for encrypting and decrypting messages <https://crypto.stackexchange.com/questions/27866/why-curve25519-for-encryption-but-ed25519-for-signatures>`_. For encryption, you should use keypairs designed for encryption, such as X25519. | ||
- If someone (or some group) publishes how to decrypt some encrypted data on-chain, then anyone with access to that encrypted data will be able to get the plaintext. The data can’t be deleted. | ||
- Encrypted data can’t be indexed or searched by MongoDB. (It can index and search the ciphertext, but that’s not very useful.) One might use homomorphic encryption to index and search encrypted data, but MongoDB doesn’t have any plans to support that any time soon. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can add,
if there is indexing or keyword search needed, then some fields of the asset.data or metadata objects can be left as plain text and the sensitive information can be stored in an encrypted child-object
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point!
Solution: