An overview of the scope of this topic.
Sensitive Data Security¶
Sensitive data should be encrypted at-rest.
- Project Scope: Deckhand
- Solution Remediated: The
storagePolicymetadata determines if Deckhand will persist document data encrypted.
- Audit: Testing: Pipeline test checks that documents with a
storagePolicy: encryptedare not persisted to the database with an intact
Sensitive data should be encrypted in-transit.
- Project Scope: Shipyard, Deckhand
- Solution Pending: Shipyard and Deckhand API endpoints should support TLS. See data_security.
- Audit: Pending: Expect to validate post-deployment that endpoints all support TLS
For items that require guidance on configuration that impact a security item please list an item here. Use RST anchors and links to link the security item solution status to this guidance.
Data Security In-Transit¶
Current work to support Deckhand enabling TLS termination, Shipyard enabling self-signing CAs and Barbican supporting TLS termination.