So I am building a Google Drive clone just as my first learner project, and the core functionality is working, but i would like to encrypt the files i store in mongoDB (using gridfs for large file sizes). I have been hearing about using the crypto module to do this (I want to continue to use read/write streams), which of course requires a cipher from a key. So i'm not sure exactly what to use as a key, and more importantly where to store it, I was thinking of using the hashed password stored in the mongoDB user model, but what would stop someone from just opening mongoDB (with something like compass on the machine), getting that hashed password, and then using it to decrypt the grid.fs data? Then I was thinking of just using some master key to encrypt all of the file data, but that key would need to be stored somewhere on the local machine obviously, so i'd just run into the same issue if someone got there hands on the server and went through the files.I've heard something about mongoDB having an option to encrypt all the data, but is this only for enterprise users? Wouldn't i still need to store the key somewhere, and how bad would the performance decrease be from encrypting everything?Idealing I would like to encrypt just the chunks that grid.fs creates, and avoid encrypting the whole mongoDB database (or even my disk).Small side note, wouldn't full disk encryption not be the beneficial? It's only beneficial if the machine gets turned off, but if the machine remains on, couldn't they get all the data just like a non-encrypted disk?Sorry I know this is a lot of questions, just kinda lost right now.
Submitted November 23, 2019 at 05:11PM by subnub99
No comments:
Post a Comment