On-the fly AES Decryption/Encryption for Cloud SQL Databases

TL;DR

This paper introduces a practical client-side AES256 encryption scheme for cloud SQL databases that enables on-the-fly decryption during query processing, maintaining security and functionality similar to plaintext databases.

Contribution

It presents a novel, practical method for integrating client-side AES encryption with cloud SQL databases, allowing real-time decryption and preserving database capabilities.

Findings

AES processing overhead is negligible on modern CPUs.

Deterministic encryption incurs no additional storage.

Probabilistic encryption doubles storage requirements.

Abstract

We propose the client-side AES256 encryption for a cloud SQL DB. A column ciphertext is deterministic or probabilistic. We trust the cloud DBMS for security of its run-time values, e.g., through a moving target defense. The client may send AES key(s) with the query. These serve the on-the-fly decryption of selected ciphertext into plaintext for query evaluation. The DBMS clears the key(s) and the plaintext at the query end at latest. It may deliver ciphertext to decryption enabled clients or plaintext otherwise, e.g., to browsers/navigators. The scheme functionally offers to a cloud DBMS capabilities of a plaintext SQL DBMS. AES processing overhead appears negligible for a modern CPU, e.g., a popular Intel I5. The determin-istic encryption may have no storage overhead. The probabilistic one doubles the DB storage. The scheme seems the first generally practical for an outsourced encrypted SQL DB. An implementation sufficient to practice with appears easy. An existing cloud SQL DBMS with UDF support should do.