Server Side Encryption

Hi everyone and thanks in advance for reading/responding!

Is there a way to provide database encryption on the server side so that we do not have to implement encryption/decrytion on the client/SDK side for DataConverter?

Our team is building out a Temporal infrastructure and other teams will be writing client side workers in go, ruby and python. I have read through all these posts linked at the bottom here which all point to using the DataConverter API to do encryption - however this doesn’t seem ideal for us because we will need to re-implement that algorithms in all 3 languages for our teams. Furthermore, ideologically it is not ideal because we have to put trust in our clients to “do the right thing” so that encryption happens at the database level.

The use case here is that we fundamentally trust the data in transit and in memory in the temporal cluster itself (frontend, history, matching, backend worker services) so we don’t actually need the overhead of having the data encrypted while in the temporal backend cluster - but we do not want to trust the data at rest in our vendor cassandra database provider.

As such, is there a way to only encrypt the data which is stored in cassandra which we could configure/plugin only into the backend services and not the frontend/client/sdk/worker code?

Thanks again, we’re really stoked to be trying this solution out!


Related posts:

h t t p s : / / community dot temporal dot io/t/passing-sensitive-data-from-workflow-to-activity/505

please create a feature request for server side encryption feature:

Hi @Wenquan_Xing. Thanks for pointing me there, can you confirm that you are saying there is no way to accomplish this currently? Thank you

it is not hard to accomplish server side enc, but this will require some server side changes.

Done, thanks! Server Side Encryption · Issue #1531 · temporalio/temporal · GitHub