Data Encryption
- Data Encryption on MediaWiki Servers
This article details the data encryption methods employed on our MediaWiki servers. It is intended for new server engineers and system administrators responsible for maintaining the security of our platform. Understanding these configurations is crucial for ensuring data confidentiality, integrity, and availability.
Overview
Data encryption is a fundamental aspect of our server security strategy. We utilize a layered approach encompassing encryption at rest, encryption in transit, and database encryption to protect sensitive information. This approach mitigates risks associated with unauthorized access, data breaches, and compliance requirements. This article will cover each layer in detail. Please also review our Security Policy and Disaster Recovery Plan for related information.
Encryption at Rest
Encryption at rest refers to the encryption of data when it is stored on our physical server disks. This protects data even if the physical storage media is compromised. We primarily use LUKS (Linux Unified Key Setup) for full disk encryption on all server drives containing user data, wiki content, and database files.
| Encryption Algorithm | Key Size | Mode of Operation | Performance Impact |
|---|---|---|---|
| AES | 256-bit | XTS | Minimal (hardware acceleration utilized) |
The encryption keys are managed securely using a Key Management System (KMS), ensuring that access to these keys is strictly controlled and audited. Regular key rotation is performed as defined in the Key Rotation Policy. Furthermore, we employ Data Masking techniques for particularly sensitive data within configuration files. A full system backup and restore procedure, tested quarterly, is documented in the Backup Procedures article.
Encryption in Transit
Encryption in transit protects data while it is being transmitted between the client (user's browser) and the server, and between different servers within our infrastructure. We enforce HTTPS (Hypertext Transfer Protocol Secure) for all connections to the MediaWiki website.
| Protocol | Certificate Authority | Cipher Suites | TLS Version |
|---|---|---|---|
| TLS 1.3 (preferred) | Let's Encrypt | TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256 | 1.3 |
| TLS 1.2 (fallback) | Let's Encrypt | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 1.2 |
Our web server configuration (detailed in the Web Server Configuration article) strictly enforces the use of secure cipher suites and disables support for older, vulnerable protocols like SSLv3. We regularly scan for and address vulnerabilities related to TLS/SSL using tools like SSL Labs Server Test. Internal server-to-server communication also utilizes TLS, often with mutual authentication for enhanced security, as described in the Internal Communication Security document. Furthermore, our Load Balancer Configuration ensures that all traffic is properly encrypted before reaching the backend servers.
Database Encryption
The MediaWiki database, which stores critical information like user accounts, revisions, and configuration settings, is also encrypted. We use Transparent Data Encryption (TDE) provided by our database system (MySQL/MariaDB).
| Database Engine | Encryption Method | Key Management | Performance Overhead |
|---|---|---|---|
| MariaDB 10.6+ | InnoDB Transparent Data Encryption | KMS integration | ~2-5% (dependent on workload) |
TDE encrypts the database files on disk without requiring modifications to the application code. The encryption keys are again managed by our KMS. Regular database backups are encrypted using the same keys, ensuring the confidentiality of backup data as detailed in the Database Backup and Recovery guide. Database access is also restricted using Role-Based Access Control (RBAC) to limit the potential impact of unauthorized access. You should also review the Database Server Hardening article for additional security measures. Finally, we use Database Auditing to monitor and log all database activity.
Monitoring and Auditing
Continuous monitoring and auditing are essential to ensure the effectiveness of our data encryption strategy. We use security information and event management (SIEM) systems to collect and analyze logs from all servers and network devices. Alerts are configured to notify security personnel of any suspicious activity, such as failed encryption attempts or unauthorized access to encryption keys. Regular security audits are conducted by our internal security team and external security consultants. See the Security Audit Procedures for details.
Conclusion
Data encryption is a critical component of our overall server security architecture. By implementing a layered approach encompassing encryption at rest, in transit, and at the database level, we significantly reduce the risk of data breaches and protect the confidentiality of our users' information. It is vital that all server engineers and system administrators understand these configurations and adhere to the policies outlined in this article and related documentation.
MediaWiki Security
Server Administration
Database Security
HTTPS Configuration
Key Management
Backup Procedures
Disaster Recovery
Security Policy
Web Server Configuration
Internal Communication Security
Load Balancer Configuration
Database Backup and Recovery
Role-Based Access Control
Database Server Hardening
Database Auditing
SSL Labs Server Test
Security Audit Procedures
Data Masking
Key Rotation Policy
LUKS
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configuration
Need Assistance?
- Telegram: @powervps Servers at a discounted price
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️