Admin: Automated server configuration article

2025-04-15T10:17:21Z

Automated server configuration article

New page

# Data Encryption on MediaWiki Servers

This article details the data encryption methods employed on our MediaWiki servers. It is intended for new server engineers and system administrators responsible for maintaining the security of our platform. Understanding these configurations is crucial for ensuring data confidentiality, integrity, and availability.

== Overview ==

Data encryption is a fundamental aspect of our server security strategy. We utilize a layered approach encompassing encryption at rest, encryption in transit, and database encryption to protect sensitive information. This approach mitigates risks associated with unauthorized access, data breaches, and compliance requirements. This article will cover each layer in detail. Please also review our [[Security Policy]] and [[Disaster Recovery Plan]] for related information.

== Encryption at Rest ==

Encryption at rest refers to the encryption of data when it is stored on our physical server disks. This protects data even if the physical storage media is compromised. We primarily use [[LUKS]] (Linux Unified Key Setup) for full disk encryption on all server drives containing user data, wiki content, and database files.

{| class="wikitable"
! Encryption Algorithm
! Key Size
! Mode of Operation
! Performance Impact
|-
| AES
| 256-bit
| XTS
| Minimal (hardware acceleration utilized)
|}

The encryption keys are managed securely using a [[Key Management System (KMS)]], ensuring that access to these keys is strictly controlled and audited. Regular key rotation is performed as defined in the [[Key Rotation Policy]]. Furthermore, we employ [[Data Masking]] techniques for particularly sensitive data within configuration files. A full system backup and restore procedure, tested quarterly, is documented in the [[Backup Procedures]] article.

== Encryption in Transit ==

Encryption in transit protects data while it is being transmitted between the client (user's browser) and the server, and between different servers within our infrastructure. We enforce HTTPS (Hypertext Transfer Protocol Secure) for all connections to the MediaWiki website.

{| class="wikitable"
! Protocol
! Certificate Authority
! Cipher Suites
! TLS Version
|-
| TLS 1.3 (preferred)
| Let's Encrypt
| TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
| 1.3
|-
| TLS 1.2 (fallback)
| Let's Encrypt
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| 1.2
|}

Our web server configuration (detailed in the [[Web Server Configuration]] article) strictly enforces the use of secure cipher suites and disables support for older, vulnerable protocols like SSLv3. We regularly scan for and address vulnerabilities related to TLS/SSL using tools like [[SSL Labs Server Test]]. Internal server-to-server communication also utilizes TLS, often with mutual authentication for enhanced security, as described in the [[Internal Communication Security]] document. Furthermore, our [[Load Balancer Configuration]] ensures that all traffic is properly encrypted before reaching the backend servers.

== Database Encryption ==

The MediaWiki database, which stores critical information like user accounts, revisions, and configuration settings, is also encrypted. We use Transparent Data Encryption (TDE) provided by our database system (MySQL/MariaDB).

{| class="wikitable"
! Database Engine
! Encryption Method
! Key Management
! Performance Overhead
|-
| MariaDB 10.6+
| InnoDB Transparent Data Encryption
| KMS integration
| ~2-5% (dependent on workload)
|}

TDE encrypts the database files on disk without requiring modifications to the application code. The encryption keys are again managed by our KMS. Regular database backups are encrypted using the same keys, ensuring the confidentiality of backup data as detailed in the [[Database Backup and Recovery]] guide. Database access is also restricted using [[Role-Based Access Control]] (RBAC) to limit the potential impact of unauthorized access. You should also review the [[Database Server Hardening]] article for additional security measures. Finally, we use [[Database Auditing]] to monitor and log all database activity.

== Monitoring and Auditing ==

Continuous monitoring and auditing are essential to ensure the effectiveness of our data encryption strategy. We use security information and event management (SIEM) systems to collect and analyze logs from all servers and network devices. Alerts are configured to notify security personnel of any suspicious activity, such as failed encryption attempts or unauthorized access to encryption keys. Regular security audits are conducted by our internal security team and external security consultants. See the [[Security Audit Procedures]] for details.

== Conclusion ==

Data encryption is a critical component of our overall server security architecture. By implementing a layered approach encompassing encryption at rest, in transit, and at the database level, we significantly reduce the risk of data breaches and protect the confidentiality of our users' information. It is vital that all server engineers and system administrators understand these configurations and adhere to the policies outlined in this article and related documentation.

[[MediaWiki Security]]
[[Server Administration]]
[[Database Security]]
[[HTTPS Configuration]]
[[Key Management]]
[[Backup Procedures]]
[[Disaster Recovery]]
[[Security Policy]]
[[Web Server Configuration]]
[[Internal Communication Security]]
[[Load Balancer Configuration]]
[[Database Backup and Recovery]]
[[Role-Based Access Control]]
[[Database Server Hardening]]
[[Database Auditing]]
[[SSL Labs Server Test]]
[[Security Audit Procedures]]
[[Data Masking]]
[[Key Rotation Policy]]
[[LUKS]]

[[Category:Server Hardware]]

== Intel-Based Server Configurations ==
{| class="wikitable"
! Configuration
! Specifications
! Benchmark
|-
| [[Core i7-6700K/7700 Server]]
| 64 GB DDR4, NVMe SSD 2 x 512 GB
| CPU Benchmark: 8046
|-
| [[Core i7-8700 Server]]
| 64 GB DDR4, NVMe SSD 2x1 TB
| CPU Benchmark: 13124
|-
| [[Core i9-9900K Server]]
| 128 GB DDR4, NVMe SSD 2 x 1 TB
| CPU Benchmark: 49969
|-
| [[Core i9-13900 Server (64GB)]]
| 64 GB RAM, 2x2 TB NVMe SSD
|
|-
| [[Core i9-13900 Server (128GB)]]
| 128 GB RAM, 2x2 TB NVMe SSD
|
|-
| [[Core i5-13500 Server (64GB)]]
| 64 GB RAM, 2x500 GB NVMe SSD
|
|-
| [[Core i5-13500 Server (128GB)]]
| 128 GB RAM, 2x500 GB NVMe SSD
|
|-
| [[Core i5-13500 Workstation]]
| 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000
|
|}

== AMD-Based Server Configurations ==
{| class="wikitable"
! Configuration
! Specifications
! Benchmark
|-
| [[Ryzen 5 3600 Server]]
| 64 GB RAM, 2x480 GB NVMe
| CPU Benchmark: 17849
|-
| [[Ryzen 7 7700 Server]]
| 64 GB DDR5 RAM, 2x1 TB NVMe
| CPU Benchmark: 35224
|-
| [[Ryzen 9 5950X Server]]
| 128 GB RAM, 2x4 TB NVMe
| CPU Benchmark: 46045
|-
| [[Ryzen 9 7950X Server]]
| 128 GB DDR5 ECC, 2x2 TB NVMe
| CPU Benchmark: 63561
|-
| [[EPYC 7502P Server (128GB/1TB)]]
| 128 GB RAM, 1 TB NVMe
| CPU Benchmark: 48021
|-
| [[EPYC 7502P Server (128GB/2TB)]]
| 128 GB RAM, 2 TB NVMe
| CPU Benchmark: 48021
|-
| [[EPYC 7502P Server (128GB/4TB)]]
| 128 GB RAM, 2x2 TB NVMe
| CPU Benchmark: 48021
|-
| [[EPYC 7502P Server (256GB/1TB)]]
| 256 GB RAM, 1 TB NVMe
| CPU Benchmark: 48021
|-
| [[EPYC 7502P Server (256GB/4TB)]]
| 256 GB RAM, 2x2 TB NVMe
| CPU Benchmark: 48021
|-
| [[EPYC 9454P Server]]
| 256 GB RAM, 2x2 TB NVMe
|
|}

== Order Your Dedicated Server ==
[https://powervps.net/?from=32 Configure and order] your ideal server configuration

=== Need Assistance? ===
* Telegram: [https://t.me/powervps @powervps Servers at a discounted price]

⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️

Data Encryption - Revision history

Admin: Automated server configuration article