Ensuring all data is encrypted at rest with LuxSci

May 10th, 2013

Email and other data are either being “transmitted” or “processed” or are “at rest.” I.e., it is moving from one computer to another, stored/at rest on a computer, or preparing to be transmitted or stored.

While most types of compliance regulation, such as HIPAA, specifically require that data be transmitted securely, not all regulations require that data be stored in an encrypted form while at rest. I.e., HIPAA does not require at-rest encryption, though it is recommended to decrease risk and potential liability in some situations.

Having your email and other data encrypted while at rest can potentially increase the security of that data, even if that level of security is not explicitly required. As a result, many LuxSci customers have asked how to ensure that all of their email and other data are encrypted while at rest.

Full-disk encryption

Full-disk encryption encrypts the hard drives or data stores themselves and not the actual files visible in the server when it is running. Full-disk encryption protects everything on the server; these kinds of things are technically “encrypted at rest” under full-disk encryption:

  1. Sent email and email folders
  2. Website and FTP data
  3. Data stored in customer MySQL databases
  4. All WebAides

At LuxSci, full-disk encryption is available for all dedicated server accounts.*

However, full-disk encryption is not the be-all and end-all solution, as it does not protect the data from access by users or programs running on the server. See the section at the end for more on full-disk encryption. In the following sections, we discuss the possibilities for encryption in addition to, or instead of, full-disk encryption. In the following sections, “at rest encryption” refers to encryption of saved data on the server and not to full-disk encryption, which may also be used.

*Certain older Business-class dedicated customers may have signed up before full-disk encryption became a standard on all types of new LuxSci accounts. Contact support if you want to find out about your particular server.

At-rest encryption for email

Email encryption with LuxSci requires the use of LuxSci’s SecureLine service. SecureLine includes four modes of email security: TLS, Escrow, PGP, and S/MIME.

  1. TLS: This method is always used by LuxSci when possible, even if another mode is also used. It can be the only mode used for customers who require only transport encryption and for whom the usability of TLS SMTP encryption is desirable. However, TLS by itself is for message transport only. It will not encrypt your message when at rest.
  2. SecureLine Escrow: Messages sent via Escrow are encrypted using PGP and stored in a secure database. They are encrypted at rest and during transmission (via SSL for access).
  3. PGP and S/MIME: Messages sent via PGP and S/MIME are encrypted at rest and during transmission.

So, as long as you disable the use of “TLS Only” as an acceptable means of encryption in your SecureLine settings, all of the messages you send securely will be encrypted at rest.

Caveats — there are always some:

  1. Sent Mail: Your sent email messages are not generally individually encrypted, whether saved from WebMail or an email program. There is an easy solution to this, however – Encrypting your sent email:
    1. Disable saving sent email in WebMail (My Email Tools>My Preferences>WebMail Composition) and your email program.
    2. Enable your LuxSci setting “Forward a copy of all messages sent via SMTP or WebMail to a specific email address” and forward the email to yourself.
    3. Add a PGP or S/MIME certificate for yourself in the LuxSci user interface so that your email to yourself is encrypted using a certificate, not via Escrow. S/MIME is recommended over PGP for compatibility with most email programs.
    4. Create a Custom Email Filter in your LuxSci account to match messages “from yourself” that arrive in your account and save them to your sent email folder.
    5. The net result will be that a copy of every message that you send will be encrypted for you and sent to you and then saved to your sent folder when it arrives, thus ensuring that the sent email is always encrypted at rest.
  2. SecureLine Auto-Decrypt: SecureLine has a nice feature that allows you to have inbound PGP and S/MIME encrypted email auto-decrypted when it arrives. It is stored as a regular email in your account. This is off by default, and you would not want to enable it if at-rest encryption is desired.
  3. Caching on Send: When messages are sent, their data may be cached temporarily on disk or in memory while they are processed and encrypted. These cache locations are never backed up and are ephemeral. The data may be there for only a second to a few minutes. The only way to eliminate the need for the message to be processed in an unencrypted state is to have it encrypted before entering LuxSci. This can be done by using PGP or S/MIME in your email program, but then you cannot send messages to people not using the same PGP or S/MIME system and cannot send to recipients using Escrow. This kind of short unencrypted processing step is common to server-side encryption technologies.

While “sent email” storage is storage at rest, most people consider the short duration processing and caching to send and read a single message to be not exactly an “at rest” state as it is an ephemeral process. Hence, people’s requirements about what needs to be encrypted when “at rest” vary greatly based on the regulations they need to follow, their security concerns and policies, the nature of the data, and the degree of trust in the services used. Unless your security requirements are stringent, the message being in an unencrypted state on the server when sent or opened is usually very acceptable and expected.

The downside of at-rest encrypted individual email messages

It’s worth mentioning some of the downsides of having your individual email messages encrypted at rest. In general:

  1. Encryption requires more work to open and read the messages than regular email.
  2. The content of encrypted messages stored in your email folders cannot be searched. E.g., you can’t search your folder for all messages whose bodies contain some specific content.
  3. You can permanently lose access to encrypted messages if you cannot recover the password to your PGP or S/MIME certificate or if you lose your Escrow notification message (and are not using Message Center).
  4. You may not be able to open the secure email messages from your email program or mobile device; you may have to log in to a website to access it.
  5. If multiple people share an email folder containing encrypted messages, they need to share the decryption information and passwords.

At-rest encryption for WebAides

WebAides are LuxSci’s collaboration tools to store contacts, calendar entries, tasks, files, blogs, passwords, and more. The general data for these WebAides (e.g., the schedule information in a calendar event) is stored unencrypted in a secured database.

However, all WebAide attachments (including all files in Documents WebAides) are stored individually encrypted at rest using 128-bit AES encryption.

WebAides used for storing the most sensitive data also support optional PGP encryption on a per-entry basis. E.g., when saving a file to a Documents WebAide, you can:

  1. Choose to have it PGP encrypted.
  2. It will be digitally signed automatically.
  3. You can pick what users and groups will be permitted to decrypt it.

This provides double at rest encryption (using PGP, and then further encryption of that PGP-encrypted data using AES) for your sensitive data, extra access control by encrypting it for specific recipients only, and validation through digital signatures. As all of the encryption and decryption is done through the LuxSci web interface, and that interface can create PGP keys for your users and groups on demand, PGP encryption is straightforward. There is nothing to install, buy, or set up beyond requesting a PGP key and a password.

The WebAides that support both AES and PGP encryption are:

  1. Documents: For file storage and sharing
  2. Blogs: For internal blogs and notes
  3. Passwords: For password library storage and collaboration (PGP encryption for passwords is required)

Secure Form at-rest data storage

The Secure Form service at LuxSci enables your web and PDF forms to deliver posted data to you in a versatile and secure manner. Secure Form allows you to receive your form data in many ways: email, FTP, MySQL, and WebAides Documents. Some of these formats support at-rest data encryption:

  1. Secure Email: Secure Form can send the form posts to you encrypted using Escrow, PGP, and S/MIME …all of which result in the data being encrypted at rest. Avoid TLS-only secure delivery as that will not result in at rest encryption.
  2. Documents WebAides: Your form data and files will automatically be encrypted at rest, like all Documents WebAide attachments. Additionally, you can also have these files double encrypted with PGP.
  3. MySQL: Secure Form can save your form post data to a LuxSci-hosted MySQL database. You can choose to have this data encrypted at rest using native-MySQL AES encryption. See: Can your web and PDF forms save to an Encrypted Database?
  4. FTP: While Secure Form supports FTP and SFTP delivery of form data to your server, those files will not be individually encrypted on your server once it is delivered there.

At-rest encryption for Widgets

LuxSci’s Widgets enable you to make custom dashboards with access to just the right tools for your tasks. Most of these widgets access and render other types of data (e.g., email, WebAides, RSS feeds, etc.). A few widgets store information for you directly as part of the Widget. Of these, the “Notepad” widget can be used for saving arbitrary information.

LuxSci encrypts the contents of your Notepad widgets while it is stored at rest in the database, using native-MySQL AES encryption.

Web hosting and at-rest encryption?

Customers that host web and FTP sites with LuxSci can have data stored encrypted at rest on these sites; however, that encryption and decryption is the customer’s responsibility:

  • Upload and download pre-encrypted files using some software on your computers to handle the encryption or decryption for you.
  • Create website pages that automatically encrypt/decrypt files on the server or save them in your hosted databases using OpenSSL, PGP, or other technology.

For web hosting customers with strong website security/privacy needs, LuxSci recommends using dedicated servers.

What about full-disk encryption?

LuxSci uses disk-level encryption across the board, but it is not a panacea.

Full disk encryption is great for hard drives in desktops, laptops, and thumb drives — media that could easily be lost or stolen. The full disk encryption makes it difficult for someone who gains physical access to that lost or stolen media to access the raw stored data. That, in turn, mitigates compliance risk.

However, the situation breaks down when translating this to an enterprise-hosted environment. We’re not talking about an easily lost or stolen physical disk anymore. A live LuxSci server’s “hard drive” is some slice of space taken from a vast array of hard drives in a dedicated storage server where the drives are arranged in complex RAID arrangements. The scenarios where disk-level encryption benefits are:

  • Someone breaks into the data center and arrives at our data storage arrays (big and heavy devices screwed into racks). They take these offline and either try to plug into them directly there on the site or carry them away to access them privately, all while preserving their configuration precisely as it was.
  • Someone at the data center with full access and clearance attempts to gain such access.
  • The media that was previously used to store ePHI is not destroyed correctly and falls into the hands of people who should not have access to the data on that media.

In reality, the risk of those vectors is minimal due to the very strong level of security associated with our premium server environment. We have a HIPAA Business Associate Agreement with our server vendor, so their staff are being trained, monitored, etc., to ensure that this kind of thing never happens.

So why not do it anyway? We do!

While it does mitigate the unlikely event of the data storage array being compromised in our HIPAA business associate’s data center, this only protects against access to the raw disks while they are in use or disposed of.

Compared to inappropriate raw hardware access, it is much more likely that any attack would come via a customer mistake or by a live server being compromised somehow. E.g., a customer uploads inappropriate files to their website, and a server is compromised due to a vulnerability, etc. In each of these cases, the server is on, and any program on that server has full access to the unencrypted data, even where the disk is encrypted. So, “encrypted disks” providing “at-rest encryption” does not protect against live server network attacks or customer actions.

That said, at-rest encryption via encryption of individual files, messages, database entries, etc., does solve the problem as any access to the raw drives or the live server still yields only these encrypted data items. Hence, LuxSci focuses on strong per-item encryption rather than relying solely on hard drive encryption, which offers weak protection in this context.