I have some sensitive data that I’m storing in my Postgres DB right now. I’d like to encrypt it at the application level for now.
In the Clojure/JVM world, I’d probably use a PGP wrapper-library to handle the encrypt/decrypt steps when writing/reading from the DB, but I’m not sure what I should be using in OCaml/Reason land. What’re the community suggestions?
For password hashing, there’s both pbkdf
(https://github.com/abeaumont/ocaml-pbkdf) as well as scrypt-kdf
(https://github.com/abeaumont/ocaml-scrypt-kdf or as C binding
https://github.com/constfun/ocaml-scrypt) available in opam.
For encrypting data, it really depends. Maybe cryptodbm
(http://cryptodbm.forge.ocamlcore.org/Cryptodbm.html) is the right tool
for you (I didn’t look into the implementation), or some vanilla
aes-ccm? Of course you can also just call out to GnuPG if you like that
(or encrypt the block device your database is stored).
Encryption alone is only half the way through, you’ll need to think
about key management as well (who has access / how to manage them / is
rollover & revocation needed, etc.).
cryptokit, and nocrypto are my gotos for my ocaml sfuff, http://docs.mirage.io/nocrypto/Nocrypto/index.html, honestly the beauty of Ocaml for crypto stuff, is the fact that it’s FFI with C, is probably the best you will ever come across in a PL, so like say you want to use Keyczar because you want to use it’s fancy key rotation tricks, it would be relatively painless, assuming you know C, whereas in the scala and clojure world, JNI kind of sucks.