Mercurial > hg > orthanc-book
comparison Sphinx/source/plugins/object-storage.rst @ 452:aef5c8b74381
fix + link to sample
author | Alain Mazy <alain@mazy.be> |
---|---|
date | Fri, 03 Jul 2020 13:02:29 +0200 |
parents | 938206110483 |
children | d44d61bdcd09 |
comparison
equal
deleted
inserted
replaced
451:938206110483 | 452:aef5c8b74381 |
---|---|
132 "ServiceAccountFile": "/path/to/googleServiceAccountFile.json", | 132 "ServiceAccountFile": "/path/to/googleServiceAccountFile.json", |
133 "BucketName": "test-orthanc-storage-plugin" | 133 "BucketName": "test-orthanc-storage-plugin" |
134 } | 134 } |
135 | 135 |
136 | 136 |
137 Sample setups | |
138 ------------- | |
139 | |
140 You'll find sample deployments and more info in the `Orthanc Setup Samples repository <https://bitbucket.org/osimis/orthanc-setup-samples/src/master/#markdown-header-for-osimisorthanc-pro-image-users>`__ . | |
141 | |
142 | |
137 Client-side encryption | 143 Client-side encryption |
138 ---------------------- | 144 ---------------------- |
139 | 145 |
140 Although all cloud providers already provide encryption at rest, the plugins provide | 146 Although all cloud providers already provide encryption at rest, the plugins provide |
141 an optional layer of client-side encryption . It is very important that you understand | 147 an optional layer of client-side encryption . It is very important that you understand |
175 Technical details | 181 Technical details |
176 ^^^^^^^^^^^^^^^^^ | 182 ^^^^^^^^^^^^^^^^^ |
177 | 183 |
178 Orthanc saves 2 kind of files: DICOM files and JSON summaries of DICOM files. Both files contain PHI. | 184 Orthanc saves 2 kind of files: DICOM files and JSON summaries of DICOM files. Both files contain PHI. |
179 | 185 |
180 When configuring the plugin, you'll have to provide a `Master Key` that we can also call the `Key Encryption Key` (KEK). | 186 When configuring the plugin, you'll have to provide a **Master Key** that we can also call the **Key Encryption Key (KEK)**. |
181 | 187 |
182 For each file being saved, the plugin will generate a new `Data Encryption Key` (DEK). This DEK, encrypted with the KEK will be pre-pended to the file. | 188 For each file being saved, the plugin will generate a new **Data Encryption Key (DEK)**. This DEK, encrypted with the KEK will be pre-pended to the file. |
183 | 189 |
184 If, at any point, your KEK leaks or you want to rotate your KEKs, you'll be able to use a new one to encrypt new files that are being added | 190 If, at any point, your KEK leaks or you want to rotate your KEKs, you'll be able to use a new one to encrypt new files that are being added |
185 and still use the old ones to decrypt data. You could then eventually start a side script to remove usages of the leaked/obsolete KEKs. | 191 and still use the old ones to decrypt data. You could then eventually start a side script to remove usages of the leaked/obsolete KEKs. |
186 | 192 |
187 To summarize: | 193 To summarize: |
188 | 194 |
189 - We use `Crypto++<https://www.cryptopp.com/>`__ to perform all encryptions. | 195 - We use `Crypto++ <https://www.cryptopp.com/>`__ to perform all encryptions. |
190 - All keys (KEK and DEK) are AES-256 keys. | 196 - All keys (KEK and DEK) are AES-256 keys. |
191 - DEKs and IVs are encrypted by KEK using CTR block cipher using a null IV. | 197 - DEKs and IVs are encrypted by KEK using CTR block cipher using a null IV. |
192 - data is encrypted by DEK using GCM block cipher that will also perform integrity check on the whole file. | 198 - data is encrypted by DEK using GCM block cipher that will also perform integrity check on the whole file. |
193 | 199 |
194 The format of data stored on disk is therefore the following: | 200 The format of data stored on disk is therefore the following: |