Universal encryption of data at rest
All data stored by OSDU must be encrypted at rest: in all services that store data, and in all infrastructure providers. Storage at rest includes:
- Virtual machines / Container hosts
- Shared file services
- Object storage (e.g., S3, Google Cloud Storage, Azure Cloud Storage)
- Relational databases
- Document databases (e.g., ElasticSearch)
Infrastructure providers are:
- AWS
- Azure
- Google Cloud Platform
- IBM / RedHat
Operator Inputs
- Chevron: Chevron requires the use of Chevron's HSM or Azure Key Vault (but does not require BYOK if Azure Key Vault is used).
- Repsol: Azure Key Vault is acceptable.
- Equinor: Record Level Encryption (RLE) to segment data based on classifica-tion would be beneficial but it is not a definitive requirement (depends on the data). HSM shall be used for central/critical components.
Definition of Done
For each infastructure provider:
- Document all areas that store data at rest
- Document what encryption at rest is used
- Document where encryption at rest is not available and/or not used
- Link to specific information for more details
Given 4 infrastructure providers and approximately 5 kinds of storage each, there will need to be about 20 statements generated.
For example
This is a fictitious example.
On AWS, "virtual machines" are EC2 instances. The "hard disk" of the virtual machine is an EBS volume. All EBS volumes are encrypted using Amazon Key Management Service (KMS) encryption. For information on EBS volume encryption options click here. For information on KMS encryption algorithms and keys, click here.
Edited by Paco Hope (AWS)