Techly NewsGet the app

Get the latest tech news

Encryption at Rest: Whose Threat Model Is It Anyway?


Head’s up: This is a blog post about applied cryptography, with a focus on web and cloud applications that encrypt data at rest in a database or filesystem. While the lessons can be broadly a…

Here’s the stupid simple attack that works in far too many cases: Bob copies Alice’s encrypted data, and overwrites his records in the database, then accesses the insurance provider’s web app. After I published this, the r/netsec subreddit has expressed disappointment that this blog post had “no mention of” consumer device theft or countries experiencing civil unrest and pulling hard drives from data centers. Rather, it’s that they’re not relevant to the specific point I am making: Even in the simplest use case, far from the annoying details of end user hardware or the whims of nation states, encryption-at-rest is poorly understood by most developers, and should be thought through carefully.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of encryption

encryption

Photo of rest

rest

Photo of threat model

threat model

Related news:

News photo

Up To 162% Faster AES-GCM Encryption/Decryption For Intel & AMD CPUs On Linux

News photo

The 10th-gen Apple iPad hits a low of $300, plus the rest of the week's best tech deals

News photo

Photoroom (YC S20) Is Hiring a Django Back End Lead in Paris (PostgreSQL, REST)

« SAP to embed Joule AI copilot into more of its enterprise apps, plans Microsoft Copilot tie-up