Data encryption plays a critical role in the security of IT systems and communications, but it also creates some new challenges like sorting, indexing, efficient querying etc. In order to address exactly these issues, we have developed and implemented successfully our own datastore independent order-preserving encryption (OPE). Our solution allows data encryption while still enabling datastore native indexing and datastore native queries such as 'starts with' and 'range' (if M < N < P then M + X < N < P+X ). Of course, everything comes with a price - by definition, order-preserving encryption algorithms are less secure and slower than conventional encryption algorithms. Our solution takes this into account and offers selective order-preserving encryption per field (column) while the rest of the data is encrypted with standard encryption algorithms. Last but not least, the implementation is thread safe and can leverage multi-core and multi-thread architectures.
We made a sample measurement on KVM virtual server with 4 virtual CPUs, 16 GB of RAM and 4, 8 and 12 instances running simultaneously, encrypting and decrypting random small sized data (less than 2048 bytes). The tests show that the average time increase for the order-preserving encryption is 5-15 ms per record on top of the standard encryption. We consider this 'price' acceptable as it allows our customers to use public/cloud datastore providers without data leak concerns. In addition, datastore administrators do not have access to plain data, so there is no risk of incorrect data handling, as required as well by the General Data Protection Regulation (GDPR).
