Client controlled, secure endpointto-endpoint storage in the cloud

Abstract: Abstract Softronic's customers do not want them to store sensitive data in a cloud environment as theydistrust the cloud providers with keeping sensitive data secret and are afraid of violating GDPR.Softronic wants to prove that data can be kept protected using encryption, even though it is storedin a cloud, and the goal of this thesis is to find a cryptographic solution with good security and performance. The chosen solution was to implement object-level encryption with both encryption and decryptiondone on-site at Softronic with the cloud provider kept outside of the encryption process. Encrypteddata can then safely be stored in the cloud and decrypted on demand on-site again. The cryptography used in the solution was determined after multiple evaluations comparingencryption algorithms and the effects of key lengths, block sizes, and modes of operation. Theevaluations showed big performance differences between encryption algorithms as well as fordifferent encryption modes, where the biggest difference was between those with and withoutintegrity checks built-in. The key length used did not affect object-level encryption performance andthe biggest key size can, therefore, be used for maximum security. The different block sizes did notaffect performance either, but a 128-bit one, as opposed to a 64-bit one, requires less maintenance,as key rotations are not required as frequently. The secure transport protocol, TLS, performed in-transit encryption of the object-level encrypteddata as it was sent to the cloud for storage which adversely affects performance. TLS encryptionsuites were, therefore, evaluated to find the one with the smallest performance impact. Theevaluations found that the key size affected performance when doing in-transit encryption, asopposed to object-level encryption, and that the encryption suite, TLS_AES_128_GCM_SHA256,with the smallest key performed the best. Keywords Encryption, data protection, cloud databases, symmetric encryption, TLS, GDPR, AEAD, Crypto