With RavenDB 4.0, we are looking to strengthen our encryption capabilities. Right now RavenDB is capable of encrypting document data and the contents of indexes at rest. That is, if you look at the disk, the data is securely encrypted. However, in memory, we keep quite a bit of information in plain text (mostly in caches of various kinds), and the document metadata isn’t encrypted, so documents keys are visible.
- All encryption/decryption operations are done on data that is aligned on 4KB boundary and is always in multiples of 4 KB. It would be extremely helpful if the encryption would not change the size of the data. Given that the data is always in 4KB increments, I don’t think that this is going to be an issue.
- We can’t use managed API to do so. Out data is actually residing in unmanaged memory, so ideally we would need something like this:
void Encrypt(Context* ctx, byte* plainSrc, byte* encryptedDest, int size); void Decrypt(Context* ctx, byte* encryptedSrc, byte* decryptedDest, int size);
- I also need to do this be able to call this from C#, and it needs to run on Windows, Linux and hopefully Mac OS.
- I’ve been looking at stuff like this page, trying to understand what it means and hoping that this is actually using best practices for safety.