问题
We can secure the data while its travelling using spiped or stunnel. But How do we do that while the data at rest? What if someone took the whole database? How can we encrypt the persistent data storage? Do we need to do this in application layer?
回答1:
When looking at the documentation at https://redis.io/topics/security it is clear that encryption of data at rest isn't supported:
Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.
And (emphasis mine):
[...] in general, untrusted access to Redis should always be mediated by a layer implementing ACLs, validating user input, and deciding what operations to perform against the Redis instance. In general, Redis is not optimized for maximum security but for maximum performance and simplicity.
回答2:
What I would do is to set the database im some sort of private server not accesible by the internet. You can comunicate to it through private IP addressed.
Amazon Web Services offers a very good architecture for Virtual Private Cloud that you can try using their free tier. (Use t2.micro Instances and make sure their summed running time doesnt go over 30 days, also that they dont use up more than 30Gb of storage capacity)
With respect to how to protect the data if a hacker could actually access the database: I would encrypt all the sensitive info that I will be checking in the future with a one way hash algorithm. Every programming language has their own syntax for SHA256 and several others encrypting algorithm. I believe for Node.js you could use crypto module (not sure if it has the one way hashing but it should.)
So every time a user sends something, you can hash it and compare it to the database encrypted data.
For example for the case of emails, it could be a two way hashing, that way it can be retrieved afterwards.
At this point, even if some accessed the database it would get irrelevant information.
来源:https://stackoverflow.com/questions/35312113/how-to-do-redis-data-encryption