PCI Compliance

In my case I need to comply ISO 27001 norms

TL;DR

PCI compliance is not solely the responsibility of Appwrite, but encryption at rest is part of the compliance. It is recommended to manually encrypt sensitive data before storing it in Appwrite. Some cloud providers offer encryption at rest as well. SSL only encrypts data in transit. Consider using a solution like HashiCorp Vault for encryption of sensitive information within Appwrite. Storing encryption keys in the server is not recommended. Achieving end-to-end encryption with Appwrite is possible, but the server still plays a role in storing encryption keys. ISO 27001 compliance is also a consideration.

Hm interesting

is there a way to achieve end to end encryption with appwrite

Yes, but that's not server sided encryption, that's client side encryption

End to end as the name says is client to client encryption

Even though the term is End to End aka client to client, the server plays major role to accompalish this like storing the encryption keys based on user identity.

Doesn't makes sense storing encryption keys in server

there should be key recovery module , because storing key in client is not reliable.

That's what WhatsApp does for example: it stores keys in client

Storing encryption key in server to have data encrypted in the server is just like putting a door to prevent access to a house and put the keys of the door outside near the door

How about using HashiCorp Vault with Appwrite

interesting

I wonder if I can use that in an Appwrite Function

The moment the keys are anywhere outside of the control of the client, what’s the point of end-to-end encryption?

For things like SSN’s or other sensitive data it would be nice to encrypt it in the backend so it’s not a flat value, could use Appwrite functions env variable

That’s not end-to-end encryption, though, that’s encryption at rest

And could use envvars for what?

Valid yeah

and to keep the encryption secret, the way I was looking at it is SSL/TLS encrypts at rest, and could use that vault thing for encryption of sensitive info inside Appwrite itself e.g. encrypting the SSN at rest

I currently manually encrypt sensitive data at rest with an encryption key stored as a function environment variable. Have my doubts if that is secure enough, so have also considered using something like hashicorp vault

Appwrite cloud server provider encrypts data at rest

SSL only encrypts in transit.

The best solution would really be to just manually encrypt it before putting it into Appwrite.

Even if you have the MySQL DB encrypted at rest, you need to handle logs, and the data will not be encrypted in transit between the Appwrite containers.

Adding that rest encryption is to prevent physical access to data, for example, if someone steals the hard drive from the datacenter. Some cloud providers offer encryption at rest so they manage it from their side without customers needing to do anything

So at rest is part of the PCI compliance part

a lot of the PCI compliance is in the overall app structure and not Appwrite's responsibility, but that part

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more

Recommended threads

Need support?

Join our Discord

Get premium support