Encryption in Hypha 🔐

[wes-otf]

An extension of the discussions taking place in #2192 & #1966.

In the dev standup we discussed encrypting sensitive fields of applications that were inactive (status of accepted, dismissed, archived, out of remit, etc.) as the performance drop would likely be too much for applications that were being frequently accessed/in-progress. This would also be a configurable feature, and would be off by default.

A few questions/thoughts I had:

Implementation

Two ways this could be implemented:

• Encryption on the Python side
  • Seems like implementation may be a bit easier leveraging libraries like django-cryptography
  • Supports existing model fields like JSONField
• Encryption on the Postgres side
  • Leveraging django-pgcrypto - limited support for existing fields we use (supported fields can be seen here)
  • Likely will be faster than the former both in encrypt/decrypt operations & queries

Manual Encryption

Should admins have the option to manually encrypt applications? If an application is especially sensitive, should an admin be able to mark it as such thus encrypting it?

Searching Encrypted Applications

Search in the app could become a potentially annoying process by encrypting all submissions with an inactive status. Any ideas to make this less tedious? search_data & search_document fields will also be encrypted I'm assuming.

[wes-otf]

I'll likely have more questions that I'll keep tossing up but feel free to give any suggestions + thoughts! I started prototyping this utilizing the django-cryptography library and so far that's been smooth with a couple bumps in the road.

[frjo]

We discussed this today in the dev team. The TLDR is that we do not recommend encryption in Hypha. Too many issues with small security gain.

If someone gets access to the database they most likely get access to the encryption key as well. More likely attack vector is a staff user account and then encryption makes no difference since the system will decrypt anything for staff.

Dev team suggestion to solve the underlaying issue is to:

1. Remove all non active content from live instance. What you do not have you can not lose.
2. Run another instance behind a VPN that is only accessible to a few staff/admins. That instance has all historic date.
3. Come up with a system to update the locked down instance with new data from live.

The locked down instance could run Hypha or some db query system.

[wes-otf]

sounds good to me! seems like a better use of time would be #3441, so I can look into that instead. Along with implementing some auto deletion jobs