Module 3: Technical Implementation

Data Encryption Requirements

18 min
+50 XP

Data Encryption Requirements

ISO 27018 mandates comprehensive encryption controls to protect PII in cloud environments. This lesson covers encryption requirements for data at rest, in transit, and in use.

Encryption Fundamentals

Why Encryption for Cloud PII?

Protection Layers:

  • Confidentiality: PII unreadable without keys
  • Integrity: Detect unauthorized modifications
  • Compliance: Meet regulatory requirements
  • Breach Mitigation: Encrypted data = lower breach impact

ISO 27018 Position: "The public cloud PII processor shall protect PII by using encryption techniques when PII is transmitted over public networks and when stored."

Encryption at Rest

Definition

Protecting stored PII through encryption on physical storage media.

Requirements

Minimum Standards:

  • Algorithm: AES-256 or equivalent
  • Key Length: 256-bit or stronger
  • Implementation: FIPS 140-2 Level 2+ compliant
  • Scope: All PII storage locations

Implementation Layers

1. Full Disk Encryption (FDE)

Physical Storage Layer
├── Operating System Encryption
│   ├── BitLocker (Windows)
│   ├── FileVault (macOS)
│   └── dm-crypt/LUKS (Linux)
└── Hardware Encryption (Self-Encrypting Drives)

2. Database Encryption

-- Transparent Data Encryption (TDE)
-- SQL Server Example
CREATE DATABASE ENCRYPTION KEY
WITH ALGORITHM = AES_256
ENCRYPTION BY SERVER CERTIFICATE TDECert;

ALTER DATABASE CustomerData
SET ENCRYPTION ON;

-- PostgreSQL Example
-- In postgresql.conf:
ssl = on
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_cipher = 'HIGH:!aNULL'

3. Application-Level Encryption

import { createCipher, createDecipher, randomBytes } from 'crypto';

class PIIEncryption {
  private algorithm = 'aes-256-gcm';
  private keyLength = 32; // 256 bits

  encrypt(plaintext: string, key: Buffer): EncryptedData {
    const iv = randomBytes(16);
    const cipher = createCipheriv(this.algorithm, key, iv);

    let encrypted = cipher.update(plaintext, 'utf8', 'hex');
    encrypted += cipher.final('hex');

    const authTag = cipher.getAuthTag();

    return {
      ciphertext: encrypted,
      iv: iv.toString('hex'),
      authTag: authTag.toString('hex')
    };
  }

  decrypt(encrypted: EncryptedData, key: Buffer): string {
    const decipher = createDecipheriv(
      this.algorithm,
      key,
      Buffer.from(encrypted.iv, 'hex')
    );

    decipher.setAuthTag(Buffer.from(encrypted.authTag, 'hex'));

    let decrypted = decipher.update(encrypted.ciphertext, 'hex', 'utf8');
    decrypted += decipher.final('utf8');

    return decrypted;
  }
}

// Field-level encryption
interface CustomerRecord {
  id: string;
  email_encrypted: string;
  email_iv: string;
  email_tag: string;
  name_encrypted: string;
  name_iv: string;
  name_tag: string;
}

4. File System Encryption

# Encrypt specific directories
# Using eCryptfs
mount -t ecryptfs /secure/pii /secure/pii

# Using EncFS
encfs /encrypted/pii /decrypted/pii

Cloud Provider Encryption

AWS:

// S3 Server-Side Encryption
const s3 = new AWS.S3();
await s3.putObject({
  Bucket: 'pii-bucket',
  Key: 'customer-data.json',
  Body: data,
  ServerSideEncryption: 'AES256',
  // Or use AWS KMS
  ServerSideEncryption: 'aws:kms',
  SSEKMSKeyId: 'arn:aws:kms:...'
}).promise();

// RDS Encryption
const rds = new AWS.RDS();
await rds.createDBInstance({
  DBInstanceIdentifier: 'pii-database',
  StorageEncrypted: true,
  KmsKeyId: 'arn:aws:kms:...',
  ...
}).promise();

Azure:

// Azure Storage Encryption
const blobService = azure.createBlobService();
blobService.createBlockBlobFromText(
  'pii-container',
  'customer-data.json',
  data,
  {
    encryptionPolicy: {
      key: encryptionKey,
      keyResolver: keyResolver
    }
  }
);

// Azure SQL Transparent Data Encryption
ALTER DATABASE CustomerDB
SET ENCRYPTION ON;

Google Cloud:

// GCS Customer-Supplied Encryption Keys
const storage = new Storage();
const file = storage.bucket('pii-bucket').file('data.json');
await file.save(data, {
  encryptionKey: Buffer.from(key, 'base64')
});

// Cloud SQL encryption (automatic)
// Encrypted by default with Google-managed keys

Encryption in Transit

Definition

Protecting PII during transmission across networks.

Requirements

Minimum Standards:

  • Protocol: TLS 1.3 (minimum TLS 1.2)
  • Cipher Suites: Strong ciphers only (AEAD)
  • Certificate: Valid, trusted CA-signed certificates
  • Perfect Forward Secrecy: Enabled

TLS Configuration

Web Server (Nginx):

server {
    listen 443 ssl http2;
    server_name api.example.com;

    # TLS 1.3 only (or minimum 1.2)
    ssl_protocols TLSv1.3 TLSv1.2;

    # Strong cipher suites
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers on;

    # Perfect Forward Secrecy
    ssl_ecdh_curve secp384r1;

    # Certificates
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    # HSTS
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Disable older protocols
    ssl_session_tickets off;
}

Application (Node.js):

import https from 'https';
import fs from 'fs';

const options = {
  key: fs.readFileSync('private-key.pem'),
  cert: fs.readFileSync('certificate.pem'),
  minVersion: 'TLSv1.3',
  ciphers: [
    'TLS_AES_256_GCM_SHA384',
    'TLS_CHACHA20_POLY1305_SHA256'
  ].join(':'),
  honorCipherOrder: true
};

const server = https.createServer(options, (req, res) => {
  // Handle requests
});

server.listen(443);

API Communication

Internal Service-to-Service:

// mTLS (Mutual TLS) for service authentication
import axios from 'axios';
import https from 'https';
import fs from 'fs';

const agent = new https.Agent({
  cert: fs.readFileSync('client-cert.pem'),
  key: fs.readFileSync('client-key.pem'),
  ca: fs.readFileSync('ca-cert.pem'),
  rejectUnauthorized: true
});

const response = await axios.get('https://internal-api.example.com/pii', {
  httpsAgent: agent
});

Database Connections

Always Encrypted Connections:

// PostgreSQL with TLS
const pool = new Pool({
  host: 'db.example.com',
  port: 5432,
  database: 'pii_database',
  user: 'app',
  password: process.env.DB_PASSWORD,
  ssl: {
    rejectUnauthorized: true,
    ca: fs.readFileSync('ca-certificate.crt').toString(),
    cert: fs.readFileSync('client-cert.crt').toString(),
    key: fs.readFileSync('client-key.key').toString()
  }
});

// MySQL with TLS
const connection = mysql.createConnection({
  host: 'db.example.com',
  user: 'app',
  password: process.env.DB_PASSWORD,
  database: 'pii_database',
  ssl: {
    ca: fs.readFileSync('ca.pem'),
    cert: fs.readFileSync('client-cert.pem'),
    key: fs.readFileSync('client-key.pem')
  }
});

Encryption in Use (Advanced)

Confidential Computing

Protect PII While Processing:

  • Intel SGX: Secure enclaves for computation
  • AMD SEV: Encrypted virtual machine memory
  • ARM TrustZone: Isolated execution environment

Use Cases:

  • Processing sensitive analytics on PII
  • Multi-party computation
  • Secure machine learning on encrypted data

Key Management

Key Management Hierarchy

Root Key (HSM-protected)
    ├── Key Encryption Keys (KEKs)
    │   ├── Database Encryption Key
    │   ├── Application Encryption Key
    │   └── Backup Encryption Key
    └── Data Encryption Keys (DEKs)
        ├── Customer 1 Data Key
        ├── Customer 2 Data Key
        └── ...

Key Management System Requirements

Essential Features:

  • Hardware Security Module (HSM) integration
  • Key rotation automation
  • Key versioning and lifecycle management
  • Access control and audit logging
  • Key backup and recovery
  • Separation of duties

Implementation Example

AWS KMS:

import { KMS } from 'aws-sdk';

class KeyManagement {
  private kms = new KMS();

  async encryptPII(plaintext: string, keyId: string): Promise<string> {
    const result = await this.kms.encrypt({
      KeyId: keyId,
      Plaintext: Buffer.from(plaintext)
    }).promise();

    return result.CiphertextBlob.toString('base64');
  }

  async decryptPII(ciphertext: string): Promise<string> {
    const result = await this.kms.decrypt({
      CiphertextBlob: Buffer.from(ciphertext, 'base64')
    }).promise();

    return result.Plaintext.toString('utf8');
  }

  async rotateKey(keyId: string): Promise<void> {
    await this.kms.enableKeyRotation({
      KeyId: keyId
    }).promise();
  }
}

Azure Key Vault:

import { SecretClient } from '@azure/keyvault-secrets';
import { CryptographyClient } from '@azure/keyvault-keys';

class AzureKeyManagement {
  private client: CryptographyClient;

  async encryptData(data: Buffer, keyId: string): Promise<Buffer> {
    const result = await this.client.encrypt('RSA-OAEP-256', data);
    return result.result;
  }

  async decryptData(encryptedData: Buffer, keyId: string): Promise<Buffer> {
    const result = await this.client.decrypt('RSA-OAEP-256', encryptedData);
    return result.result;
  }
}

Key Rotation Strategy

Automated Rotation:

interface KeyRotationPolicy {
  keyId: string;
  rotationPeriod: number; // days
  lastRotation: Date;
  nextRotation: Date;
}

class KeyRotationService {
  async rotateKeys(): Promise<void> {
    const keysToRotate = await this.getKeysNeedingRotation();

    for (const policy of keysToRotate) {
      // Generate new key version
      const newKey = await this.generateNewKeyVersion(policy.keyId);

      // Re-encrypt data with new key (envelope encryption)
      await this.reEncryptData(policy.keyId, newKey);

      // Update rotation tracking
      await this.updateRotationRecord(policy.keyId, new Date());

      // Audit log
      await this.auditLog.record('KEY_ROTATED', {
        keyId: policy.keyId,
        timestamp: new Date()
      });
    }
  }
}

Encryption Verification

Testing Requirements

Verification Checklist:

  • All PII encrypted at rest (scan storage)
  • All connections use TLS 1.2+ (network scan)
  • Strong cipher suites only (configuration review)
  • Valid certificates (certificate inspection)
  • Key rotation functional (test rotation process)
  • Encryption performance acceptable (load testing)

Automated Scanning

class EncryptionScanner {
  async scanDatabase(): Promise<ScanResult> {
    // Check if database encryption enabled
    const encryptionStatus = await this.checkDatabaseEncryption();

    // Scan for unencrypted PII columns
    const unencryptedPII = await this.findUnencryptedPIIColumns();

    return {
      databaseEncrypted: encryptionStatus,
      unencryptedColumns: unencryptedPII,
      compliant: encryptionStatus && unencryptedPII.length === 0
    };
  }

  async scanNetworkTraffic(): Promise<NetworkScanResult> {
    // Verify TLS for all endpoints
    const endpoints = await this.getAllEndpoints();
    const results = [];

    for (const endpoint of endpoints) {
      const tlsVersion = await this.checkTLSVersion(endpoint);
      const cipherSuite = await this.checkCipherSuite(endpoint);
      const certValid = await this.verifyCertificate(endpoint);

      results.push({
        endpoint,
        tlsVersion,
        cipherSuite,
        certValid,
        compliant: tlsVersion >= 'TLSv1.2' && certValid
      });
    }

    return results;
  }
}

Compliance Checklist

Encryption at Rest:

  • Full disk encryption on all servers
  • Database-level encryption enabled
  • Application-level encryption for sensitive fields
  • Cloud storage encryption configured
  • Backup encryption enabled
  • Encryption keys managed securely

Encryption in Transit:

  • TLS 1.2+ enforced on all endpoints
  • Strong cipher suites configured
  • Valid certificates from trusted CAs
  • Certificate expiry monitoring
  • HSTS headers configured
  • Internal service mTLS

Key Management:

  • HSM or equivalent for key storage
  • Automated key rotation (annual minimum)
  • Key access logging
  • Separation of duties for key management
  • Key backup and recovery procedures
  • Key lifecycle documentation

Common Pitfalls

Encryption in name only: Weak algorithms or short keys ✓ Right: AES-256, RSA-4096, industry-standard algorithms

Keys stored with data: Encryption keys in same location as encrypted data ✓ Right: Separate key management service/HSM

No key rotation: Same keys used for years ✓ Right: Automated annual (or more frequent) rotation

Mixed encrypted/unencrypted: Some PII encrypted, some not ✓ Right: Consistent encryption for all PII

Ignoring performance: Encryption causing unacceptable slowdown ✓ Right: Hardware acceleration, efficient algorithms

Performance Considerations

Optimization Strategies:

  • Use hardware-accelerated encryption (AES-NI)
  • Implement connection pooling for TLS
  • Cache decrypted data appropriately (with security)
  • Use envelope encryption for large data
  • Offload encryption to dedicated services

Benchmarking:

class EncryptionBenchmark {
  async measurePerformance() {
    const data = Buffer.alloc(1024 * 1024); // 1MB
    const iterations = 1000;

    const start = Date.now();
    for (let i = 0; i < iterations; i++) {
      await this.encrypt(data);
    }
    const duration = Date.now() - start;

    console.log(`Throughput: ${(iterations / duration * 1000).toFixed(2)} ops/sec`);
    console.log(`Latency: ${(duration / iterations).toFixed(2)} ms/op`);
  }
}

Audit Evidence

Documentation Required:

  • Encryption architecture diagram
  • Encryption standards policy
  • Key management procedures
  • Encryption testing results
  • TLS configuration screenshots
  • Certificate inventory
  • Key rotation logs

Next Lesson: Access control for PII - implementing least privilege and role-based access.

Complete this lesson

Earn +50 XP and progress to the next lesson

Previous

Control Assessment

Next

Access Control for PII