Encryption
EZ-CDC implements encryption at multiple layers to protect your data.
Encryption Overview
In-Transit Encryption
Control Plane Communication
All communication with the control plane uses TLS 1.3:
| Connection | Protocol | Encryption |
|---|---|---|
| Portal → API | HTTPS | TLS 1.3 |
| Worker → API | HTTPS | TLS 1.3 |
| Worker → Control Plane (gRPC) | gRPC/TLS | TLS 1.3 |
Database Connections
Configure SSL for database connections:
PostgreSQL Source:
{
"ssl_mode": "require",
"ssl_root_cert": "-----BEGIN CERTIFICATE-----..."
}
StarRocks Sink:
{
"ssl_enabled": true
}
SSL Modes
| Mode | Encryption | Certificate Verification |
|---|---|---|
disable | None | None |
allow | Optional | None |
prefer | Preferred | None |
require | Required | None |
verify-ca | Required | CA verified |
verify-full | Required | CA + hostname verified |
tip
Use require minimum for production. Use verify-full for maximum security.
At-Rest Encryption
Credential Storage
Database credentials are encrypted before storage using AES-256-GCM encryption with a 256-bit key, random initialization vector (IV), and 128-bit authentication tag. Plaintext passwords are encrypted and stored securely in the database.
Encryption Details
| Aspect | Value |
|---|---|
| Algorithm | AES-256-GCM |
| Key Size | 256 bits |
| IV | Random, unique per encryption |
| Authentication | GCM tag (128 bits) |
Key Management
- Encryption key stored securely (environment variable)
- Key never logged or exposed in API responses
- Key rotation supported (future)
What's Encrypted
| Data | Encrypted? |
|---|---|
| Database passwords | ✅ Yes |
| Connection strings | ✅ Yes |
| SSL certificates | ✅ Yes |
| Table names | ❌ No (metadata) |
| Job configuration | ❌ No (non-sensitive) |
Worker Encryption
Binary Downloads
Workers download binaries from S3 over HTTPS:
Worker → HTTPS → S3 (ez-cdc-releases)
Instance Storage
Worker EC2 instances use encrypted EBS volumes:
block_device_mappings {
device_name = "/dev/xvda"
ebs {
encrypted = true # EBS encryption enabled
}
}
Memory Security
- Credentials decrypted only when needed
- Cleared from memory after use
- No credential logging
Compliance Considerations
Data Handling
| Data Type | EZ-CDC Access |
|---|---|
| Database credentials | Encrypted, decrypted only in worker |
| Row data | Never accessed by control plane |
| Schema metadata | Visible for job configuration |
Audit Trail
All actions are logged:
{
"timestamp": "2024-01-15T10:30:00Z",
"action": "datasource.created",
"user_id": "user_123",
"resource_id": "ds_abc",
"ip_address": "203.0.113.1"
}
Certifications
- SOC 2 Type II (in progress)
- GDPR compliant
- HIPAA eligible (with BAA)
Best Practices
1. Always Use SSL
Configure all connections with SSL:
{
"postgres": {
"ssl_mode": "require"
},
"starrocks": {
"ssl_enabled": true
}
}
2. Use Strong Passwords
- Minimum 16 characters
- Mix of letters, numbers, symbols
- Unique per service
3. Rotate Credentials Regularly
- Create new credentials in database
- Update datasource in EZ-CDC
- Verify connection works
- Remove old credentials
4. Use PrivateLink
For maximum security, use PrivateLink connectivity to avoid public internet entirely.