comparison Sphinx/source/plugins/object-storage.rst @ 452:aef5c8b74381

fix + link to sample
author Alain Mazy <alain@mazy.be>
date Fri, 03 Jul 2020 13:02:29 +0200
parents 938206110483
children d44d61bdcd09
comparison
equal deleted inserted replaced
451:938206110483 452:aef5c8b74381
132 "ServiceAccountFile": "/path/to/googleServiceAccountFile.json", 132 "ServiceAccountFile": "/path/to/googleServiceAccountFile.json",
133 "BucketName": "test-orthanc-storage-plugin" 133 "BucketName": "test-orthanc-storage-plugin"
134 } 134 }
135 135
136 136
137 Sample setups
138 -------------
139
140 You'll find sample deployments and more info in the `Orthanc Setup Samples repository <https://bitbucket.org/osimis/orthanc-setup-samples/src/master/#markdown-header-for-osimisorthanc-pro-image-users>`__ .
141
142
137 Client-side encryption 143 Client-side encryption
138 ---------------------- 144 ----------------------
139 145
140 Although all cloud providers already provide encryption at rest, the plugins provide 146 Although all cloud providers already provide encryption at rest, the plugins provide
141 an optional layer of client-side encryption . It is very important that you understand 147 an optional layer of client-side encryption . It is very important that you understand
175 Technical details 181 Technical details
176 ^^^^^^^^^^^^^^^^^ 182 ^^^^^^^^^^^^^^^^^
177 183
178 Orthanc saves 2 kind of files: DICOM files and JSON summaries of DICOM files. Both files contain PHI. 184 Orthanc saves 2 kind of files: DICOM files and JSON summaries of DICOM files. Both files contain PHI.
179 185
180 When configuring the plugin, you'll have to provide a `Master Key` that we can also call the `Key Encryption Key` (KEK). 186 When configuring the plugin, you'll have to provide a **Master Key** that we can also call the **Key Encryption Key (KEK)**.
181 187
182 For each file being saved, the plugin will generate a new `Data Encryption Key` (DEK). This DEK, encrypted with the KEK will be pre-pended to the file. 188 For each file being saved, the plugin will generate a new **Data Encryption Key (DEK)**. This DEK, encrypted with the KEK will be pre-pended to the file.
183 189
184 If, at any point, your KEK leaks or you want to rotate your KEKs, you'll be able to use a new one to encrypt new files that are being added 190 If, at any point, your KEK leaks or you want to rotate your KEKs, you'll be able to use a new one to encrypt new files that are being added
185 and still use the old ones to decrypt data. You could then eventually start a side script to remove usages of the leaked/obsolete KEKs. 191 and still use the old ones to decrypt data. You could then eventually start a side script to remove usages of the leaked/obsolete KEKs.
186 192
187 To summarize: 193 To summarize:
188 194
189 - We use `Crypto++<https://www.cryptopp.com/>`__ to perform all encryptions. 195 - We use `Crypto++ <https://www.cryptopp.com/>`__ to perform all encryptions.
190 - All keys (KEK and DEK) are AES-256 keys. 196 - All keys (KEK and DEK) are AES-256 keys.
191 - DEKs and IVs are encrypted by KEK using CTR block cipher using a null IV. 197 - DEKs and IVs are encrypted by KEK using CTR block cipher using a null IV.
192 - data is encrypted by DEK using GCM block cipher that will also perform integrity check on the whole file. 198 - data is encrypted by DEK using GCM block cipher that will also perform integrity check on the whole file.
193 199
194 The format of data stored on disk is therefore the following: 200 The format of data stored on disk is therefore the following: