3 Replies Latest reply on Aug 24, 2016 9:19 PM by thomas.newman.redflex.com.au

Encryption for MVStore with filepersistence

thomas.newman.redflex.com.au Aug 23, 2016 8:56 PM

Hello. Thankyou for creating this project. It has suited our needs for an image server very well.

I am looking to encrypt our images at rest.

Is there a recommended approach to encrypt binary data using filepersistence? The meta data can remain unencrypted.

I am using filepersistence, which I understand to use MVStore behind the scenes.

The link below shows configuration for path and compress which map directly to MVStore builder

File System persistence - ModeShape 5 - Project Documentation Editor

See sourcecode for FileDb line 183.

modeshape/FileDb.java at 6aacd6f6be4d68ec98a5c0b82add681feb37048e · ModeShape/modeshape · GitHub

Also the wordpress site talking about file persistence changes talks about optional features like compression and encryption. Compression is a configuration option in Modeshape, but not encryption.

ModeShape | An open-source, federated content repository 2. File system store

Is there a reason to not expose MVStore.encryptionKey ? Perhaps this would impact search.

Kind Regards,

Thomas.

1. Re: Encryption for MVStore with filepersistence

hchiorean Aug 24, 2016 7:47 AM (in response to thomas.newman.redflex.com.au)

Yes, the file persistence in ModeShape 5 uses H2's MVStore, but that doesn't store binary data (i.e. binary values). The main issue with encryption for the main repository data is read performance: considering that H2 can encrypt/decrypt only an entire database (not a single row for example) and that in a typical ModeShape usage scenario repository churn is pretty high, constantly having to decrypt just to be able to read data would render the repository useless IMO (keeping the entire decrypted DB in memory is not an option).

Is there a recommended approach to encrypt binary data using filepersistence? The meta data can remain unencrypted.

When dealing with binary values you store them outside of the main repository data, in separate binary stores (there are several to choose from) - Built-in binary stores - ModeShape 5 - Project Documentation Editor and Binary values - ModeShape 5 - Project Documentation Editor So one option for example for encrypting binary data, is creating your own binary store and plugging that into ModeShape.
Actions
2. Re: Encryption for MVStore with filepersistence

thomas.newman.redflex.com.au Aug 24, 2016 7:16 PM (in response to hchiorean)

Thankyou for the answer. I will look further into the links you provided.
Actions
3. Re: Encryption for MVStore with filepersistence

thomas.newman.redflex.com.au Aug 24, 2016 9:19 PM (in response to thomas.newman.redflex.com.au)

This GitHub project looks to be very much what I am after. Just need to remove S3 stuff.
modeshape-s3-binary-store/S3BinaryStore.java at master · fcrepo4-labs/modeshape-s3-binary-store · GitHub
Actions

Go to original post