Transparent high-performance data-at-rest encryption for platform-as-a-service (PaaS) environments

摘要

Apparatus and methods are disclosed for transparently and efficiently encrypting data-at-rest in a platform as a service (PaaS) environment. Disclosed techniques transparently transform any existing persistent data services in the PaaS environment into respective secure data services. For the deployment of the above secure data services, an encryption addon containing an addon core and activity-based callouts is provided. The addon core contains a kernel module for encryption/decryption. A coordinator in charge of the deployment executes a pre-filesystem-creation callout that encrypts a raw storage device before creating a filesystem on it. It then deploys a secure data service configured to use the filesystem. Thus, applications using the data service can now transparently store data as encrypted data-at-rest in the filesystem. Similarly, the coordinator also executes a pre-filesystem-mounting callout before mounting the filesystem for accessing encrypted-data-rest. Thus, applications using the secure data service can transparently decrypt and use the encrypted data-at-rest.