Druid Security / Segment Encryption

[Ben DeMott <be...@gmail.com>]

Was wondering if anyone had worked on, considered, or thought about
security or privacy in Druid.
Where I work has extremely strict requirements on storing some types of
client data.
Ideally we would encrypt data per-client in such a way where querying
segments requires an encryption key based upon a given dimension of the
data (client).

Has anyone worked on this, or homomorphic encrpytion in Druid?

Thanks,
Ben

Re: Druid Security / Segment Encryption

[Gian Merlino <gi...@apache.org>]

Hi Ben,

Druid's security features today consist of an authentication/authorization
layer, and the ability to use TLS. To my knowledge encrypting the data
files at rest has not been looked into yet. In the past when I've been
asked, I've suggested using disk encryption, and people usually seem happy
with that. But it sounds like you have more strict requirements.

Since Druid's segment format is column oriented, you could imagine each
column being encrypted with its own key. Possibly the same system that
handles compression could handle encryption too (we compress columns in
chunks of a few thousand rows each). I'm not enough of an encryption expert
to know if that's the right way to go, but it would be a possibility.

On Mon, Jul 2, 2018 at 4:42 PM Ben DeMott <be...@gmail.com> wrote:

> Was wondering if anyone had worked on, considered, or thought about
> security or privacy in Druid.
> Where I work has extremely strict requirements on storing some types of
> client data.
> Ideally we would encrypt data per-client in such a way where querying
> segments requires an encryption key based upon a given dimension of the
> data (client).
>
> Has anyone worked on this, or homomorphic encrpytion in Druid?
>
> Thanks,
> Ben
>