At-Rest Encryption
BonsaiDb offers at-rest encryption. An overview of how it works is available in the bonsaidb::local::vault
module.
Enabling at-rest encryption by default
When opening your BonsaiDb instance, there is a configuration option default_encryption_key
. Once this is set, all new data written that supports being encrypted will be encrypted at-rest.
let storage = Storage::open(
StorageConfiguration::new(&directory)
.vault_key_storage(vault_key_storage)
.default_encryption_key(KeyId::Master)
)?;
Enabling at-rest encryption on a per-collection basis
Collection::encryption_key()
can be overridden on a per-Collection basis. If a collection requests encryption but the feature is disabled, an error will be generated.
To enable a collection to be encrypted when the feature is enabled, only return a key when ENCRYPTION_ENABLED is true.