Data Encryption

Estimated Reading Time:  2 minutes

Overview

Encryption is a necessity in today’s world. Data travels all over the internet and it’s important that data stays secure. Encryption ciphers convert data from plaintext to ciphertext. Using encryption, a phrase like “No code is the future!” might change to “21h34lk234h32o32lh23dc454tw44treg43gqg.” Without access to the decryption key, malicious actors can't use your data if it’s intercepted. Unqork and its third-party providers encrypt data in transit and at rest to ensure your data’s security. This article explains the types of encryption used by three third-party providers commonly used with Unqork: MongoDB Atlas, AWS (Amazon Web Services), and Azure.

What You'll Learn

In this article, you'll learn about:

Encryption Types by Third-Party Providers

Unqork builds your environment on an infrastructure provided by a Cloud Service Provider (CSP). That CSP is AWS or Azure. MongoDB Atlas stores your data in databases. All three vendors use TLS (Transportation Layer Security) encryption for data in transit and AES 256 encryption for data at rest. The vendor holds the encryption keys or manages them with a service they provide.

Vendor Encryption Type Key Holder

MongoDB Atlas

Data in transit: Client to server TLS

Data at rest: AES 256

MongoDB Atlas

AWS

Data in transit: TLS

Data at rest: AES 256 server-side encryption

S3-Managed Keys or AWS KMS

Azure

Data in transit: TLS

Data at rest: AES 256 server-side encryption

Microsoft key store

NOTE  Unqork doesn't use customer-managed keys.

Key Rotation Policies

Unqork uses fully-managed CSP (Cloud Service Provider) keys using the CSP KMS (Key Management Service). Unqork can't access the keys. The KMS uses keys generated in the HSM (Hardware Security Module). This ensures no one, including CSP employees, can access the plaintext key material. This removes the need for customers to manage their own keys for disk encryption, while providing FIPS (Federal Information Processing Standards) 140-2 validated data security.

Each vendor has best practice key rotation policies. Not all key rotations are automatic, so it is important to review your chosen vendor's policy:

Encryption at Rest and In Transit

The CSP providing the service encrypts data at rest according to their protocols. By default, all new environments use TLS 1.2+ encryption for data in transit. Some older environments might use TLS 1.1+. If your environment uses TLS 1.1+ and you want to upgrade you can make that request to your Unqork representative.

NOTE  Certain compliance requirements like PCI (Payment Card Industry) need TLS 1.2+

Environments built on AWS use an end-to-end encryption system. AWS uses TLS 1.2+ and the encryption terminates at the application load balancer. Communication with back-end components and services re-encrypt data with TLS 1.2+. Environments created on AWS use ELBSecurityPolicy-FS-1-2-2019-06. The ciphers used depend on the policy selected. If you use a legacy system or one that requires a different protocol or cipher and you run an Unqork environment on AWS, you can request a different AWS SSL (Secure Sockets Layer) policy and/or cipher.

Data transmitted to MongoDB Atlas from your Unqork environment uses TLS 1.2+ encryption, beginning at application, going to the NAT (Network Address Translation) gateway, and terminating when it reaches MongoDB Atlas.

AWS and Azure SSL Policies